Nantha Kumar Rajasekaren, profile picture
Uploaded byNantha Kumar Rajasekaren
PPSX, PPTX159 views

AWS Key Management

AWS Key Management Service (KMS) simplifies the creation and control of encryption keys for data encryption, utilizing FIPS 140-2 validated hardware security modules. The AWS Encryption SDK supports various AES encryption options and features data key caching to enhance efficiency in cryptographic operations. Different methods, including server-side and client-side encryption, are available for managing encryption in Amazon S3, allowing customers to select the key management approach that best suits their needs.

Technologyā—¦
Related topics:
Information Securityā€¢

Embed presentation

Download as PPSX, PPTX
Amazon Web Service ā€“ Key Management
AWS Key Management AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys.
Algorithm Suites in the AWS Encryption SDK ā€¢ The algorithms used in AWS Encryption SDK are the Advanced Encryption Standard (AES) algorithm in known as AES-GCM. ā€¢ The SDK supports 256-bit, 192-bit, and 128-bit encryption keys. The length of the initialization vector (IV) is always 12 bytes; the length of the authentication tag is always 16 bytes.
Other supported algorithm suites ā€¢ AES-GCM with Key Derivation Only The AES-GCM algorithm uses a key derivation function, but lacks the ECDSA signature that provides authenticity and nonrepudiation. ā€¢ AES-GCM without Key Derivation or Signing The AES-GCM algorithm uses the data encryption key as the AES-GCM encryption key, instead of using a key derivation function to derive a unique key.
AWS Encryption SDK Programming Languages ā€¢ Java ā€¢ Python ā€¢ Command Line interface
AWS - Data Key Caching Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one.
Benefits of Data Caching ā€¢ It leads to reuse of the data key ā€¢ It generates the numerous data keys ā€¢ Your cryptographic operations are unacceptably slow, expensive, limited, or resource-intensive.
The AWS Encryption SDK helps you to create and manage your data key cache. It provides a Local Crypto Material Cache and a caching cryptographic materials manager that interacts with the cache and enforces security thresholds that you set
ā€¢ Plaintext data key ā€¢ Encrypted data keys (one or more) ā€¢ Encryption context ā€¢ Message signing key (if one is used) ā€¢ Algorithm suite ā€¢ Metadata, including usage counters for enforcing security thresholds Data key caching stores data keys and related cryptographic materials in a cache. Each entry includes the elements listed below
Cached Entries for Decryption Requests The entries that are added to a data key cache as a result of a decryption operation include the following elements: ā€¢ Plaintext data key ā€¢ Signature verification key (if one is used) ā€¢ Metadata, including usage counters for enforcing security thresholds
Encrypt Data without Caching
Encrypt Data with Caching
Data Key Caching Example
Data Encryption in Amazon S3 Cloud storage services such as Amazon S3, the need for encryption is clear. Encrypting data-at-rest in almost any solution has long become best practice, and most IAAS providers offering storage will also offer encryption.
There are five ways to implement the data encryption in Amazon S3 ā€¢ Server-Side Encryption with Amazon S3-Managed Keys ā€¢ Server-Side Encryption with AWS KMS-Managed Keys ā€¢ Server-Side Encryption with Customer-Provided Keys ā€¢ Client-Side Encryption with an AWS KMSā€“Managed Customer Master Key ā€¢ Client-Side Encryption with a Client-Side Master Key
Server-Side Encryption with Amazon S3-Managed Keys Server-side encryption with Amazon S3- managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
Server-Side Encryption with AWS KMS-Managed Keys AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. You use AWS KMS via the Encryption Keys section in the IAM console or via AWS KMS APIs to centrally create encryption keys, define the policies that control how keys can be used, and audit key usage to prove they are being used correctly.
Highlights of SSE-KMS ā€¢ You can choose to create and manage encryption keys yourself. ā€¢ The data keys used to encrypt your data are also encrypted and stored alongside the data they protect. ā€¢ Auditable master keys can be created, rotated, and disabled from the IAM console. ā€¢ The security controls in AWS KMS can help you meet encryption- related compliance requirements.
Server-Side Encryption with Customer-Provided Keys Server-side encryption with customer- provided encryption keys (SSE-C) allows you to set your own encryption keys. With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects.
Highlights of SSE-C ā€¢ You must use https protocol service only. ā€¢ You manage a mapping of which encryption key was used to encrypt which object. Amazon S3 does not store encryption keys. You are responsible for tracking which encryption key you provided for which object.
Client-Side Encryption with an AWS KMSā€“Managed Customer Master Key Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options: ā€¢ Use an AWS KMS-managed customer master key ā€¢ Use a client-side master key
Thank Youā€¦ā€¦, Presented By; Nantha Kumar Rajasekaren,
To Follow Me ; Facebook; https://www.facebook.com/profile.php?id=100016683103655 Nantha Kumar Rajasekaren. Twitter ; https://twitter.com/NRajasekaren Nantha Kumar Rajasekaren. LinkedIn; https://www.linkedin.com/in/nantha-kumar-rajasekaren-502211148/ Nantha Kumar Rajasekaren.

More Related Content

PPTX
Introduction of AWS KMS
byRicardo Schmidt
Ā 
PPTX
Introduction to AWS KMS
byAkesh Patil
Ā 
PPTX
Simplified Encryption and Key Management
byMongoDB
Ā 
PDF
Protecting your data in AWS
byDinah Barrett
Ā 
PDF
Protect your Data on AWS using the Encryption method.pdf
byZen Bit Tech
Ā 
PPTX
AWS Security and Encryption
byRichard Harvey
Ā 
PDF
Aws securing data_at_rest_with_encryption (1)
byCMR WORLD TECH
Ā 
PDF
Using encryption with_aws
bysaifam
Ā 
Introduction of AWS KMS
byRicardo Schmidt
Ā 
Introduction to AWS KMS
byAkesh Patil
Ā 
Simplified Encryption and Key Management
byMongoDB
Ā 
Protecting your data in AWS
byDinah Barrett
Ā 
Protect your Data on AWS using the Encryption method.pdf
byZen Bit Tech
Ā 
AWS Security and Encryption
byRichard Harvey
Ā 
Aws securing data_at_rest_with_encryption (1)
byCMR WORLD TECH
Ā 
Using encryption with_aws
bysaifam
Ā 

Similar to AWS Key Management

PDF
Kms cryptographic-details
bysaifam
Ā 
PDF
Kms cryptographic-details (1)
bysaifam
Ā 
PDF
How to implement data encryption at rest in compliance with enterprise requir...
bySteffen Mazanek
Ā 
PDF
Aws kms in 10 minutes
byRajendran Senapathi
Ā 
PPTX
Presentation by R Behera on KMS aws
byRasananda BEHERA
Ā 
PPTX
AWS KMS( Presentation about AWS key management system).ppt.
byshaansaxena16
Ā 
PPTX
Big data security in AWS.pptx
byAshish210583
Ā 
PPTX
UNEC__1732702810.pptxddgdfvcfgg hxh f f g h s s. Rcyctcecec
bylefty8778
Ā 
PPTX
Aws s3 security
byOmid Vahdaty
Ā 
PDF
MySQL Security on AWS Rds
byMydbops
Ā 
PPTX
KMS at Okta - Intermediate Level
byJon Todd
Ā 
PDF
Austin CSS Slalom Presentation
byAlert Logic
Ā 
PPTX
Google Cloud Platform Key Management Best Practices
byKrishkrish440307
Ā 
PPTX
The fundamentals of AWS Cloud Security šŸ› ā›…ļøšŸš€
byThanh Nguyen
Ā 
PDF
AWS re:Invent re:Cap - ģ¢…ė‹Øź°„ ė³“ģ•ˆģ„ ģœ„ķ•œ ķ“ė¼ģš°ė“œ ģ•„ķ‚¤ķ…ģ²˜ źµ¬ģ¶• - ģ–‘ģŠ¹ė„
byAmazon Web Services Korea
Ā 
PPTX
Amazon web services (aws)
byKevin Bramwell Grant
Ā 
PDF
How AWS Encryption Key Options Impact Your Security and Compliance
byChris Bingham
Ā 
PDF
Aws key kms dg
byRENEE63398
Ā 
PDF
AWS Well Architected-Info Session WeCloudData
byWeCloudData
Ā 
PPTX
Application security meetup - cloud security best practices 24062021
bylior mazor
Ā 
Kms cryptographic-details
bysaifam
Ā 
Kms cryptographic-details (1)
bysaifam
Ā 
How to implement data encryption at rest in compliance with enterprise requir...
bySteffen Mazanek
Ā 
Aws kms in 10 minutes
byRajendran Senapathi
Ā 
Presentation by R Behera on KMS aws
byRasananda BEHERA
Ā 
AWS KMS( Presentation about AWS key management system).ppt.
byshaansaxena16
Ā 
Big data security in AWS.pptx
byAshish210583
Ā 
UNEC__1732702810.pptxddgdfvcfgg hxh f f g h s s. Rcyctcecec
bylefty8778
Ā 
Aws s3 security
byOmid Vahdaty
Ā 
MySQL Security on AWS Rds
byMydbops
Ā 
KMS at Okta - Intermediate Level
byJon Todd
Ā 
Austin CSS Slalom Presentation
byAlert Logic
Ā 
Google Cloud Platform Key Management Best Practices
byKrishkrish440307
Ā 
The fundamentals of AWS Cloud Security šŸ› ā›…ļøšŸš€
byThanh Nguyen
Ā 
AWS re:Invent re:Cap - ģ¢…ė‹Øź°„ ė³“ģ•ˆģ„ ģœ„ķ•œ ķ“ė¼ģš°ė“œ ģ•„ķ‚¤ķ…ģ²˜ źµ¬ģ¶• - ģ–‘ģŠ¹ė„
byAmazon Web Services Korea
Ā 
Amazon web services (aws)
byKevin Bramwell Grant
Ā 
How AWS Encryption Key Options Impact Your Security and Compliance
byChris Bingham
Ā 
Aws key kms dg
byRENEE63398
Ā 
AWS Well Architected-Info Session WeCloudData
byWeCloudData
Ā 
Application security meetup - cloud security best practices 24062021
bylior mazor
Ā 

Recently uploaded

PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
Ā 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
Ā 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
Ā 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
Ā 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
Ā 
PDF
How PayPal Account Verification Works ā€“ Complete Guide for Online Businesses
byjhdhj3989
Ā 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
Ā 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
Ā 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
Ā 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
Ā 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
Ā 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
Ā 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
Ā 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
Ā 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
Ā 
PPTX
TechSprint WinterHack ā€” Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
Ā 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
Ā 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
Ā 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
Ā 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
Ā 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
Ā 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
Ā 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
Ā 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
Ā 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
Ā 
How PayPal Account Verification Works ā€“ Complete Guide for Online Businesses
byjhdhj3989
Ā 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
Ā 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
Ā 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
Ā 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
Ā 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
Ā 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
Ā 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
Ā 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
Ā 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
Ā 
TechSprint WinterHack ā€” Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
Ā 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
Ā 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
Ā 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
Ā 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
Ā 

AWS Key Management

  • 1.
    Amazon Web Serviceā€“ Key Management
  • 2.
    AWS Key Management AWSKey Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys.
  • 3.
    Algorithm Suites inthe AWS Encryption SDK ā€¢ The algorithms used in AWS Encryption SDK are the Advanced Encryption Standard (AES) algorithm in known as AES-GCM. ā€¢ The SDK supports 256-bit, 192-bit, and 128-bit encryption keys. The length of the initialization vector (IV) is always 12 bytes; the length of the authentication tag is always 16 bytes.
  • 4.
    Other supported algorithmsuites ā€¢ AES-GCM with Key Derivation Only The AES-GCM algorithm uses a key derivation function, but lacks the ECDSA signature that provides authenticity and nonrepudiation. ā€¢ AES-GCM without Key Derivation or Signing The AES-GCM algorithm uses the data encryption key as the AES-GCM encryption key, instead of using a key derivation function to derive a unique key.
  • 5.
    AWS Encryption SDKProgramming Languages ā€¢ Java ā€¢ Python ā€¢ Command Line interface
  • 6.
    AWS - DataKey Caching Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one.
  • 7.
    Benefits of DataCaching ā€¢ It leads to reuse of the data key ā€¢ It generates the numerous data keys ā€¢ Your cryptographic operations are unacceptably slow, expensive, limited, or resource-intensive.
  • 8.
    The AWS EncryptionSDK helps you to create and manage your data key cache. It provides a Local Crypto Material Cache and a caching cryptographic materials manager that interacts with the cache and enforces security thresholds that you set
  • 9.
    ā€¢ Plaintext datakey ā€¢ Encrypted data keys (one or more) ā€¢ Encryption context ā€¢ Message signing key (if one is used) ā€¢ Algorithm suite ā€¢ Metadata, including usage counters for enforcing security thresholds Data key caching stores data keys and related cryptographic materials in a cache. Each entry includes the elements listed below
  • 10.
    Cached Entries forDecryption Requests The entries that are added to a data key cache as a result of a decryption operation include the following elements: ā€¢ Plaintext data key ā€¢ Signature verification key (if one is used) ā€¢ Metadata, including usage counters for enforcing security thresholds
  • 11.
  • 12.
  • 13.
  • 14.
    Data Encryption inAmazon S3 Cloud storage services such as Amazon S3, the need for encryption is clear. Encrypting data-at-rest in almost any solution has long become best practice, and most IAAS providers offering storage will also offer encryption.
  • 15.
    There are fiveways to implement the data encryption in Amazon S3 ā€¢ Server-Side Encryption with Amazon S3-Managed Keys ā€¢ Server-Side Encryption with AWS KMS-Managed Keys ā€¢ Server-Side Encryption with Customer-Provided Keys ā€¢ Client-Side Encryption with an AWS KMSā€“Managed Customer Master Key ā€¢ Client-Side Encryption with a Client-Side Master Key
  • 16.
    Server-Side Encryption withAmazon S3-Managed Keys Server-side encryption with Amazon S3- managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
  • 17.
    Server-Side Encryption withAWS KMS-Managed Keys AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. You use AWS KMS via the Encryption Keys section in the IAM console or via AWS KMS APIs to centrally create encryption keys, define the policies that control how keys can be used, and audit key usage to prove they are being used correctly.
  • 18.
    Highlights of SSE-KMS ā€¢You can choose to create and manage encryption keys yourself. ā€¢ The data keys used to encrypt your data are also encrypted and stored alongside the data they protect. ā€¢ Auditable master keys can be created, rotated, and disabled from the IAM console. ā€¢ The security controls in AWS KMS can help you meet encryption- related compliance requirements.
  • 19.
    Server-Side Encryption withCustomer-Provided Keys Server-side encryption with customer- provided encryption keys (SSE-C) allows you to set your own encryption keys. With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects.
  • 20.
    Highlights of SSE-C ā€¢You must use https protocol service only. ā€¢ You manage a mapping of which encryption key was used to encrypt which object. Amazon S3 does not store encryption keys. You are responsible for tracking which encryption key you provided for which object.
  • 21.
    Client-Side Encryption withan AWS KMSā€“Managed Customer Master Key Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options: ā€¢ Use an AWS KMS-managed customer master key ā€¢ Use a client-side master key
  • 22.
  • 23.
    To Follow Me; Facebook; https://www.facebook.com/profile.php?id=100016683103655 Nantha Kumar Rajasekaren. Twitter ; https://twitter.com/NRajasekaren Nantha Kumar Rajasekaren. LinkedIn; https://www.linkedin.com/in/nantha-kumar-rajasekaren-502211148/ Nantha Kumar Rajasekaren.