AWS KMS: What is it?
Use AWS KMS to digitally sign data, encrypt data within your apps using AWS Encryption SDK, establish and validate message authentication codes (MACs), and encrypt data across all of your AWS workloads.AWS Key Management Service (KMS) gives you command over the cryptographic keys that protect your data. With AWS KMS, you have centralized management over your keys' lifetime and permissions. You can make new keys whenever you want and have total control over who may use and manage them. It is easier to encrypt data stored in these services and control who has access to the decryption keys due to their connection with other AWS services.
With the use of AWS CloudTrail, which is integrated with AWS KMS, you can audit who used which keys, on which resources, and when. AWS KMS facilitates developers' integration of digital signature or encryption capabilities into their application code, either directly or through the AWS SDK. The AWS Encryption SDK supports AWS KMS to assist developers that must encrypt and decode data locally within their applications.
Important Features
Monitoring of audits
If you have AWS CloudTrail enabled on your AWS account, every request you make to AWS KMS is recorded in a log file. This log file is sent to the Amazon Simple Storage Service (Amazon S3) bucket that you specified when you set up AWS CloudTrail. The data that is recorded includes the user's information, time, date, API action, and, if relevant, the key used.High availability, robustness, and scalability
AWS KMS is one fully managed service. As you use encryption more frequently, the solution automatically adjusts to your needs. Tens of thousands of KMS keys may be used and managed in your account at any moment thanks to it. Although it defines default restrictions for the number of keys and request rates, you can request greater limits if necessary.The KMS keys you create or that other AWS services provide for you cannot be exported. AWS KMS is therefore responsible for their durability. To help guarantee that both your keys and your data are highly available, AWS KMS maintains multiple encrypted copies of your keys in systems designed for 99.999999999% durability.
Workflows that employ KMS multi-Region keys for encrypted data or digital signatures that travel across regions include disaster recovery, multi-Region high availability architectures, DynamoDB Global Tables, and globally distributed consistent digital signatures. KMS multi-Region keys are interoperable keys that can be duplicated into other regions using the same key material and key IDs.
AWS KMS is designed to be a highly available service with a regional API endpoint. Since most AWS services rely on AWS KMS for encryption and decryption, it is built to provide a certain degree of availability. Compatible with the rest of AWS, its availability is supported by the AWS KMS Service Level Agreement.
Safe
Because of the way AWS KMS is designed, nobody—not even AWS employees—can get your plaintext keys from the service. The service uses hardware security modules (HSMs) that are regularly validated under the Federal Information Processing Standards (FIPS) 140-2 Cryptographic Module Validation Program of the U.S. National Institute of Standards and Technology (NIST) to safeguard the confidentiality and integrity of your keys. AWS KMS HSMs provide the cryptographic framework for protecting KMS keys.They create a secure, hardware-protected boundary for each cryptographic operation that occurs in KMS. any key material for KMS keys created within AWS KMS HSMs, as well as any operations requiring decrypted KMS key material, must occur within the FIPS 140-2 Security Level 3 border of these HSMs. AWS KMS HSM firmware changes are controlled via a multi-party access control that is inspected and reviewed by an unbiased group inside Amazon. All firmware updates are submitted to a NIST-accredited lab for certification in compliance with FIPS 140-2 Security Level 3.
Your plaintext keys are never written to disk; they are only ever utilized in the volatile memory of the HSMs for the amount of time necessary to do the cryptographic operation you have requested. This is true whether you utilize the custom key store option to produce keys in an AWS CloudHSM cluster, import keys into the service, or request that AWS KMS generate keys for you. It is up to you whether you produce a single Region key or several Region keys. Only the AWS Region in which they were formed can utilize single region keys; they are never transmitted outside of that region.
Unbalanced keys
AWS KMS facilitates the creation and usage of asymmetric KMS keys and data key pairs. It is possible to designate a KMS key as a signing key pair, encryption key pair, or key agreement key pair. Using these KMS keys, HSMs create key pairs and perform asymmetric cryptographic operations. You can ask for the public portion of the asymmetric KMS key to be utilized in your local apps, even if the secret part is always accessible. You can import the private portion of an asymmetric key from your own key management system.The service can also be asked for an asymmetric data key pair. This process returns in plaintext the public key, private key, and a copy of the private key encrypted using a symmetric KMS key you provide. You can use the plaintext public or private key in your local application and save the encrypted copy of the private key for later use.
HMAC
AWS KMS's FIPS 140-2 authorized HSMs may be used to produce and validate Hash-Based Message Authentication Codes (HMACs). HMACs are a kind of cryptographic building block that combines secret key information into a hash function to produce a distinct keyed message authentication code. HMAC KMS keys are superior than HMACs from application software as the key material is created and used only within AWS KMS. They are also subject to the access controls you set on the key.The HMAC KMS keys and HMAC algorithms used by AWS KMS adhere to industry standards specified in RFC 20104. HMAC KMS keys are generated by AWS KMS hardware security modules that have been validated by the FIPS 140-2 Cryptographic Module Validation Program. This guarantees that AWS KMS is always encrypted. Your own key management system allows you to import your own HMAC key as well.
Observance
The security and quality controls in AWS KMS have been confirmed and approved by the following compliance regimes:- SOC 1, 2, and 3 reports are managed by AWS System and Organization Controls. You may grab a copy of the reports from AWS Artifact.
- Cloud Computing Compliance Controls Catalog (C5).
- PCI Data Security Standard Level 1.
- The Federal Information Processing Standards are FIPS 140-2. The AWS KMS cryptography module was certified by NIST at FIPS 140-2 Security Level 3.
- The Federal Risk and Authorization Management Program is known as FedRAMP.
- Health insurance is protected under HIPAA.
Personalized key stores
The useful and comprehensive key management interface of AWS KMS in custom key stores is coupled with the ability to own and control the device or devices where key material and cryptographic operations occur. You are therefore more responsible for the lifetime and accessibility of cryptographic keys as well as the operation of the HSMs. With AWS KMS, there are two types of custom key stores available:Key storage supported by CloudHSM
You may produce a KMS key in an AWS CloudHSM custom key store, and all keys are generated and kept in an AWS CloudHSM cluster that you control and manage. When you utilize a KMS key in a custom key store, the cryptographic operations under it are solely performed in your AWS CloudHSM cluster.Paying extra for the AWS CloudHSM cluster and being responsible for ensuring the key material is accessible in that cluster are the costs associated with using a custom key store.
External key storage
If you have a regulatory necessity to store and use your encryption keys on-site or outside of the AWS Cloud, you can produce a KMS key in an AWS KMS external key store (XKS), where all keys are generated and kept in an external key manager that you control and administer. When you utilize an XKS, your key material never leaves your HSM.In contrast to regular KMS keys or a key in a CloudHSM custom key store, you are in charge of the cryptographic operations of external keys as well as the durability, availability, latency, performance, and security of the key material when using an external key store. The availability and efficiency of KMS operations may be impacted by the hardware, software, and networking elements of the XKS infrastructure you use.
Encryption on the client side
AWS KMS with client-side encryption libraries may be used to safeguard data in hybrid and multicloud settings, or directly within your AWS application. You may use these libraries to encrypt data before storing it in AWS services, or any other storage media and third-party services of your choosing. Using industry standards and best practices, these libraries assist you in encrypting and decoding data. By using encryption libraries, you may concentrate on the essential features of your application rather than data encryption and decryption.- Any data may be encrypted and decrypted using the all-purpose AWS Encryption SDK.
- The AWS Database Encryption SDK is an encryption library that provides additional capabilities for accessing and querying encrypted data while also assisting you in protecting sensitive data stored in your database.
- Data stored in your S3 bucket is encrypted and decrypted using an encryption library known as the Amazon S3 Encryption Client.
0 Comments