AWS Key Management Service (KMS) is a managed service that enables you to create and control “Keys” used for cryptographic operations. AWS KMS is a key component of AWS Security.
Key Terms
Encryption is the process of encoding data using an algorithm. Encryption is performed on the data, by applying an algorithm – mostly using a parameter (known as a Key).
- The process of decoding is called Decryption
Key is the parameter that encryption algorithms use to encode the data.
Symmetric and Asymmetric Encryption
- In Symmetric encryption, same key is used to encrypt and decrypt the data.
- In Asymmetric encryption, key to encrypt the data is different from the key used to decrypt the data.
- Typically the key used to encrypt data is made publicly available by the owner
- It’s called Public Key
- You use Public Key of the intended recipient to encrypt data for them.
- And, the key used to decrypt the data is only available with the intended reader – Private Key
- Typically the key used to encrypt data is made publicly available by the owner
Following illustration shows the differences:
Customer Master Key (CMK)
CMK is the main element of KMS – is a logical representation of a master key. CMK contains:
- Meta-data such as Key ID, Creation Date, Description, Key State
- Key Material – secret-sauce component that is used to encrypt and decrypt data
- Key Material may be created by KMS, by external party (such as you), or using Custom Key Store (CloudHSM)
- KMS supports symmetric and asymmetric CMKs
- Symmetric CMK represents 256-bit key that is used for encryption and decryption
- Asymmetric CMK represents RSA key-pair that is used for encryption and decryption or signing and verification (but not both), or an elliptic curve (ECC) key-pair that is used for signing and verification.
- Symmetric CMKs and the private keys of asymmetric CMKs never leave KMS unencrypted.
There are three types of CMKs:
- Customer managed CMKs are the CMKs that you create, own, and manage.
- You control every aspect of it.
- There is a fee associated with customer managed CMKs
- AWS managed CMKs are created, managed, and used on your behalf by an AWS service.
- Exist in your Account
- Some services only support AWS managed CMKs
- There is no fee for AWS managed CMKs (unless used in excess)
- AWS owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts.
- These are not specific to your Account
Data Keys – these are encryption keys that you use to encrypt your data.
- You can use KMS CMKs to generate, encrypt, and decrypt Data Keys, but Data Keys are not stored in KMS.
- You use and manage Data Keys outside KMS
- Envelope encryption is when you encrypt your data with a Data Key, and stored (as CMK) securely in KMS
FIPS 140-2 – Federal Information Processing Standard Publication 140-2 (aka FIPS PUB 140-2) is a U.S. government computer security standard used to approve cryptographic modules
AWS CloudHSM is a cloud-based Hardware Security Module (HSM) that allows you to create, store and use your own encryption keys on AWS.
- CloudHSM is implemented on FIPS 140-2 Level 3 validated hardware.
- CloudHSM resides on single-tenant hardware, as compared to KMS – which resides on multi-tenant hardware.
Key Points
- KMS is full managed service – there is no underlying infrastructure to be managed by you.
- KMS leverages Hardware Security Modules (HSMs) that are FIPS 140-2 compliant.
- KMS is highly available.
- KMS is a Regional service – CMKs created in a Region never leave that Region.
- KMS is well-integrated with other AWS services.
- KMS can encrypt up to 4 KB of Data with a CMK.
- Via CloudTrail, KMS provides you with logs of all Key usage – useful for auditing and compliance purposes.
- You can use KMS with AWS Encryption SDK to do data encryption in your applications.
- KMS can automatically perform rotation of master keys once per year, without the need to re-encrypt previously encrypted data.
- KMS allows you to create your own Key Store using HSMs that you control.
- Creation, Storage and Operations using your CMK are on CloudHSM cluster
- KMS supports Asymmetric Keys (in select Regions).
- KMS is compliant with PCI DSS Level 1, FIPS 140-2 (Level 2 overall, and Level 3 in some categories), FedRAMP, and HIPAA (eligible).
Pricing
KMS is billed for following components:
- CMKs – $1 per CMK per month
- Enabling annual rotation adds $1 per CMK each year (to cover cost of previous versions which continue to exist)
- Key Usage – per 10,000 requests
- Price varies by request type (e.g., simple requests versus requests involving RSA 2048 keys)
- There is a Free tier of 20,000 requests per month (cumulative across all Regions)
- Custom Key Store – price based on underlying CloudHSM cluster infrastructure
Resources