KMS Exam Tips

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including EBS, S3, Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, Amazon RDS and others to make it simple to encrypt your data with encryption keys that you manage.

The Customer Master Key:

  • CMK
    • Alias
    • Creation Date
    • Description
    • Key State
    • Key Material (either customer provided or AWS provided)
  • Can NEVER be exported

Set up a Customer Master Key:

  • Create Alias and Description
  • Choose material option
  • Define Key Administrative Permissions
    • IAM users/roles that can administer (but not use) the key through the KMS API
  • Define Key Usage Permissions
    • IAM users/roles that can use the key to encrypt and decrypt data

Key MAterial Options:

  • Use KMS generated key material
  • Your own key material

API Calls

  • aws kms encrypt
    • encrypts data
  • aws kms decrypt
    • decrypts data
  • aws kms re-encrypt
    • decrypts then re-encrypts straight away
  • aws kms enable-key-rotation
    • rotate keys once per year

Customer Master Key:

  • Use Customer Master Key to encrypt the envelope Key
  • Envelope key is used to encrypt data

Extras

  • "KMS encrypts and decrypts data using your master keys stored in KMS" : These are known as customer master keys or CMKs. You can generate CMKs in KMS, in an AWS CloudHSM cluster, or import them from your own key management infrastructure.
  • If you are exceeding the request per second limit, use the Encryption SDK
  • For AWS CodeBuild to encrypt its build output artifacts, it needs access to an AWS KMS customer master key (CMK). By default, AWS CodeBuild uses the AWS-managed CMK for Amazon S3 in your AWS account. Specify a KMS key to use here.
  • You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a database password, or other sensitive information.
    • Anything over 4 KB you may want to look into the AWS Encryption SDK
  • GenerateDataKey
    • used in envelope encryption
    • returns a data encryption key that you can use in your application to encrypt data locally
    • The data encryption key is the one that is actually used for encrypting data.
    • Master key encrypts the data encryption key
    • if you want only the encrypted version, use GenerateDataKeyWithoutPlainText