Quick introduction to AWS KMS. AWS KMS Use cases, Key ownership and management, data key and envelope encryption, Key access policies and permissions, key rotation approach.

1. AWS KMS
In 10 Minutes
Rajendran Senapathi, Cloud Solutions Architect

2. AWS KMS – Use Cases
Business
“I have sensitive data that needs to be secured for data
protection and compliance.”
“I need a cryptographic solution that is highly available,
secure, reliable, and durable.”
“I want to deploy and manage the encryption keys using
code and want these integrated in the CI/CD process.”
DevOps
“I want separation of responsibilities between key
administrators and key users and want auditing in place for
access and usage.”
Architecture
DevOps
Security

3. AWS KMS - Key facts
AWS Key Management Service (KMS)
Symmetric Keys Asymmetric Key Pairs
• The key never leaves the KMS • Private key never leaves the KMS.
Private Public
New
Customer Master Keys
• Same key is used for
encryption and decryption.
• Used for encryption and decryption,
signing and verification.
• Data key protected by
symmetric CMK in KMS.
• Private key protected by symmetric
CMK in KMS.
Data Keys
• CMKs are protected by
Hardware Security Modules
managed by AWS.
• Validated by FIPS 140-2
Cryptographic Module
Validation Program.
• Integrates with most AWS
services for encryption tasks
and CloudTrail for auditing

4. Key Ownership and Management
AWS Key Management Service (KMS)
Creation
Auditing
Customer Managed Keys AWS Managed Keys AWS Owned & Managed Keys
• Customer creates the key.
• Can use it in cryptographic
operations directly.
• AWS services create on customer
behalf.
• Cannot use in cryptographic
operations directly. Only services
that created them can use them.
• Automatically created by AWS
for relevant service.
Management
• Customer manages the lifecycle,
policies, and permissions.
• The integrated services (e.g., RDS)
gives option to use customer
managed key for encryption.
• AWS manages the lifecycle and
permissions on customer behalf.
• Customer can view the policies,
but cannot change them.
• AWS owns and manages these
keys. These keys are
automatically created when a
service is created.
• Customer can track the key
access and usage through
CloudTrail
• Customer can track the key access
and usage through CloudTrail
• Customer cannot track the access
or usage.

5. Data Key and Envelope encryption
CMK
Customer Master Keys
can encrypt data only
up to 4KB. Therefore,
CMK is generally used
to encrypt data keys,
which can encrypt
large amount of data.
KMS
Typical process for encrypting and decrypting data
Call KMS to
generate a data Key
1
KMS generates a data key and
returns the plan text data key and
the encrypted (using CMK) data key.
2
Data Encrypted using plain
text data key
3
Encrypted data stored with
encrypted data key. Plain text
data key discarded.
4
=
When data needs to
be retrieved, call
KMS to decrypt the
data key
5
Using the plain text data key returned,
the encrypted data is decrypted
6
=
Most AWS services have built in integration with KMS to perform the encryption / decryption tasks.

6. "Effect": "Allow",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
IAM Policies – Separation of Concerns
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*“
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*"
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*"
Root User
Key
Administrators General
Key Users
and Roles

7. • AWS Managed CMKs are automatically rotated every 3 years - the frequency
cannot be changed.
• Customer managed CMKs can be enabled for automatic yearly rotation; for
custom rotation frequency, do manual rotation.
• If compromise is suspected, after manual rotation, update the application /
aliases to point to the new backing key.
Key Rotation
Original
backing key
Original
backing key
Before Rotation
New
backing key
After automatic Rotation • After rotation, all the endpoints (ID, ARN, policies, etc.,) will
remain unchanged.
• Original backing keys are still retained for applications / aliases
that still use them.
• The data Keys generated using the original keys are not rotated
• Asymmetric keys do not support automatic rotation

8. Advanced Scenarios
If you want:
• Keys from FIPS 140-2 level 3 validated hardware.
• Keep exclusive control of the keys.
• Make KMS to use your own HSM as key store.
• Comply with local regulations.
• Single tenant HSM infrastructure.
Then… Use.. AWS CloudHSM
• CloudHSM runs in your own VPC,
isolated from other AWS networks.
• AWS manages the HSM hardware
deployed as highly available in multiple
availability zones

9. AWS KMS - Key Points
• AWS KMS supports both symmetric and asymmetric keys.
• AWS KMS is regional, multitenant service. For advanced scenarios consider
CloudHSM.
• You can create and manage custom CMKs and have granular permissions and
custom rotation policies defined.
• Ensure principle of least privilege and separation of duties between key
administrators and users.
• Enable Multi-factor authentication for critical API calls (delete, policy
updates, etc.,).
• Ensure monitoring and logging in place for tracking access and usage.

10. Further Reading
AWS KMS Developer Guide
https://docs.aws.amazon.com/kms/latest/developerguide/index.html
https://docs.aws.amazon.com/kms/latest/APIReference/index.html
AWS KMI API Reference

11. www.linkedin.com/in/rajsenapathi