KMS 101

AWS Key Management 101

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including EBS, S3, Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, Amazon RDS and others to make it simple to encrypt your data with encryption keys that you manage.

• Best Practice to have someone who can manage the keys permissions, but does not have the ability to encrypt or decrypt.
• User who does not manage keys permissions, but has ability to do encryption and decryption
• Encryption Key must be in same region as the data

AWS Key Management Service Exam Tips

The Customer Master Key:

• CMK
  • Alias
  • Creation Date
  • Description
  • Key State
  • Key Material (either customer provided or AWS provided)
• Can NEVER be exported

Set up a Customer Master Key:

• Create Alias and Description
• Choose material option
• Define Key Administrative Permissions
  • IAM users/roles that can administer (but not use) the key through the KMS API
• Define Key Usage Permissions
  • IAM users/roles that can use the key to encrypt and decrypt data

Key Material Options:

• Use KMS generated key material
• Your own key material