Introduction to AWS Key Management Service (KMS)

Data Encryption is still a best available mechanism when its about securing highly critical data stored in the cloud or on-premises. Organisational policies, or industry or government regulations, might require the use of encryption at rest to protect your data.

Server side encryption with AWS Key Management Service (KMS) is a highly available, scalable and secure service backed by Hardware Security Module (HSM). With KMS, the process of Key management has reduced to few simple clicks.

AWS Key Management Service Architecture

Quick Facts:

  • KMS provides a centralised controlled access to your data using managed encryption.
  • KMS is integrated with various AWS service like Amazon S3, EBS and Redshift.
  • KMS usages audit logs can be accessed through AWS CloudTrail.
  • AWS provides regional independence for customer data. Key usage is isolated within an AWS Region which means keys cannot be shared across different regions.
  • AWS KMS provides cryptographic operations at latency and throughput levels suitable for use by other services in AWS.

Disadvantages of using KMS:

The drawback with custom KMS Keys is the complexity of setting up and managing the key policy. You will have to create and manage the policies and also will have to rotate the custom master key.

Type of Keys in AWS KMS

AWS Key Management Service supports two types of Keys:

  1. Customer Master Key
  2. Data Key

Customer Master Key:

Master key is also called as customer managed key or AWS managed key. A Master Key is used to encrypt data keys to securely store the encryption key. 4KB is the maximum size of the data encrypt or decrypt using KMS. Typically, you use CMKs to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. This strategy is known as envelope encryption.

AWS Supports three types of CMK.

CMK TypeDescriptionCan ViewCan Manage
Customer Managed CMKCustomer managed CMKs are CMKs in your AWS account that you create, own, and manage.YesYes
AWS Managed CMKAWS managed CMKs are that are created, managed, and used on your behalf by an AWS service that integrates with AWS KMS.  
YesNo
AWS Owned CMKAWS owned CMKs are not in your AWS account. AWS owns and manages for use in multiple AWS accounts.
AWS services can use AWS owned CMKs to protect your data. 
NoNo

Key comparision between AWS managed CMK and Customer managed CMK:

AWS Managed CMKCustomer Managed CMK
CreationAWS Creates on customer’s behalfCustomer generated
RotationOnce every three years automaticallyOnce a year automatically
DeletionCannot be deletedCan be deleted
Scope of UseLimited to a specific AWS serviceControlled via KMS/IAM
Key Access PolicyAWS ManagedCustomer Managed
User Access ManagementIAM PolicyIAM Policy

Data Key:

A Data Key is used to encrypt or decrypt the data inside a service or an application. Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys. 

Note: You can use AWS KMS Customer Master Keys (CMKs) to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of AWS KMS. 

Steps to create a data key using CMK:

Step 1: call 

Step 2: AWS KMS uses the CMK that you specify to generate a data key.  

Step 3: The operation returns , as shown in the following image. 

  • a plaintext copy of the data key and  
  • a copy of the data key encrypted under the CMK 
AWS K MS 
Customer master kev 
Encry ption 
algorithm 
Plaintext data key 
Encrypted data key

Decypt data using Data Key

To decrypt your data,  
Step 1: pass the encrypted data key to the Decrypt operation.  

Step 2: KMS uses your CMK to decrypt the data key and then it returns the plaintext data key.  

Step 3: Use the plaintext data key to decrypt your data and then  

Step 4: Remove the plaintext data key from memory as soon as possible. 

Encrypted data key 
AWS KB'S 
Customer master key 
Decryption 
algorithm 
Plaintext data key


Categories: security

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: