AWS KMS Cheat Sheet

• A managed service that enables you to easily encrypt your data. KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.

Features

• AWS KMS is integrated with CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when.
• AWS KMS keys are used to control access to data encryption keys that encrypt and decrypt your data.
• You can choose to have KMS automatically rotate KMS keys created within KMS once per year without the need to re-encrypt data that has already been encrypted with your KMS key.
• To help ensure that your keys and your data is highly available, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.
• You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the Internet. When you use a VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network.
• You can define VPC Endpoint policies, enabling you to increase the granularity of your security controls by specifying which principals can access your endpoint, which API calls they can make, and which resources they can access.

Concepts

• AWS KMS keys – You can use a KMS key to encrypt and decrypt up to 4 KB of data. Typically, you use KMS keys to generate, encrypt, and decrypt the data keys that you use outside of KMS to encrypt your data. Symmetric KMS keys are 256-bit advanced encryption standard (AES) keys that cannot be exported.
• There are three types of KMS keys:

• • Customer managed keys are KMS keys that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.
  • AWS managed keys are KMS keys in your account that are created, managed, and used on your behalf by an AWS service that integrates with KMS. You can view the AWS managed keys in your account, view their key policies, and audit their use in CloudTrail logs. However, you cannot manage these AWS managed keys or change their permissions. And, you cannot use AWS managed keys in cryptographic operations directly; the service that creates them uses them on your behalf.
  • AWS owned keys are not in your AWS account. They are part of a collection of KMS keys that AWS owns and manages for use in multiple AWS accounts. AWS services can use AWS owned key to protect your data. You cannot view, manage, or use AWS owned keys, or audit their use.
• Data keys – Encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.
  • AWS KMS can generate, encrypt, and decrypt data keys. However, KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.
  • Data keys can be generated at 128-bit or 256-bit lengths and encrypted under a KMS key you define.
• Envelope encryption -The practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. The top-level plaintext key encryption key is known as the root key.
• Encryption Context – All KMS cryptographic operations accept an encryption context, an optional set of key–value pairs that can contain additional contextual information about the data.
• Key Policies – When you create a KMS key, permissions that determine who can use and manage that KMS key are contained in a document called the key policy.
• Grants – A grant is an alternative to the key policy. Grants are commonly used for temporary rights since they can be created, utilized, and deleted without affecting your key policies or IAM policies.
• Grant Tokens – When you create a grant, the permissions specified in the grant might not take effect immediately due to eventual consistency. If you need to mitigate the potential delay, use a grant token instead.
• When you enable automatic key rotation for a customer managed KMS key, AWS KMS generates new cryptographic material for the KMS key every year. KMS also saves the KMS Keys’ older cryptographic material so it can be used to decrypt data that it encrypted.
• An alias is an optional display name for an AWS KMS Keys. Each KMS Key can have multiple aliases, but each alias points to only one KMS Key. The alias name must be unique in the AWS account and region.

Importing Keys

• A KMS Key contains the key material used to encrypt and decrypt data. When you create a KMS key, by default AWS KMS generates the key material for that KMS key. But you can create a KMS key without key material and then import your own key material into that KMS key.
• When you import key material, you can specify an expiration date. When the key material expires, KMS deletes the key material and the KMS key becomes unusable. You can also delete key material on demand.

Deleting Keys

• Deleting a KMS key deletes the key material and all metadata associated with the KMS key and is irreversible. You can no longer decrypt the data that was encrypted under that KMS key, which means that data becomes unrecoverable.
• You can create a CloudWatch alarm that sends you a notification when a user attempts to use the KMS key while it is pending deletion.
• You can temporarily disable keys so they cannot be used by anyone.
• KMS supports custom key stores backed by AWS CloudHSM clusters. A key store is a secure location for storing cryptographic keys.
• You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network.

Pricing

• Each KMS key that you create in KMS, regardless of whether you use it with KMS-generated key material or key material imported by you, costs you until you delete it.
• For KMS keys with key material generated by KMS, if you opt-in to have the KMS keys automatically rotated each year, each newly rotated version will raise the cost of the KMS key per month.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Validate Your Knowledge

Question 1

1. AWS managed key
2. Symmetric customer managed key
3. Customer managed key in a custom key store associated with an AWS CloudHSM cluster in your account
4. AWS owned key

Show me the answer!

Correct Answer: 2

Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your AWS Key Management Service (AWS KMS) KMS keys, you can create a new KMS key and then change your applications or aliases to use the new KMS key. Or, you can enable automatic key rotation for an existing customer-managed CMK.

When you enable automatic key rotation for a customer-managed key, AWS KMS generates new cryptographic material for the key every year. AWS KMS also saves the KMS key’s older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK. Key rotation changes only the CMK’s backing key, which is the cryptographic material that is used in encryption operations. The CMK is the same logical resource, regardless of whether or how many times its backing key changes.

Key rotation in AWS KMS is a cryptographic best practice that is designed to be transparent and easy to use. AWS KMS supports optional automatic key rotation only for customer-managed keys.

-Backing key management. AWS KMS retains all backing keys for a KMS key, even if key rotation is disabled. The backing keys are deleted only when the KMS key is deleted. When you use a KMS key to encrypt, AWS KMS uses the current backing key. When you use the KMS key to decrypt, AWS KMS uses the backing key that was used to encrypt.

-Enable and disable key rotation. Automatic key rotation is disabled by default on customer-managed KMS keys. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the key 365 days after the enable date and every 365 days thereafter.

-Disabled KMS keys. While a KMS key is disabled, AWS KMS does not rotate it. However, the key rotation status does not change, and you cannot change it while the key is disabled. When the key is re-enabled, if the backing key is more than 365 days old, AWS KMS rotates it immediately and every 365 days thereafter. If the backing key is less than 365 days old, AWS KMS resumes the original key rotation schedule.

-KMS keys pending deletion. While a KMS key is pending deletion, AWS KMS does not rotate it. The key rotation status is set to false, and you cannot change it while deletion is pending. If deletion is canceled, the previous key rotation status is restored. If the backing key is more than 365 days old, AWS KMS rotates it immediately and every 365 days thereafter. If the backing key is less than 365 days old, AWS KMS resumes the original key rotation schedule.

-AWS managed KMS keys. AWS KMS automatically rotates AWS managed keys every year (approximately 365 days). You cannot enable or disable key rotation for AWS managed keys.

-AWS owned KMS keys. You cannot manage key rotation for AWS owned KMS keys. The key rotation strategy for an AWS owned CMK is determined by the AWS service that creates and manages the KMS key.

-Monitoring key rotation. When AWS KMS automatically rotates the key material for an AWS managed key or customer-managed key, it writes the KMS key Rotation event to Amazon CloudWatch Events. You can use this event to verify that the key was rotated.

-Unsupported KMS key types. Automatic key rotation is not supported on the following types of KMS keys, but you can rotate these keys manually.

1. Asymmetric KMS keys
2. KMS keys in custom key stores
3. KMS keys that have imported key material

Hence, the correct answer is: Symmetric customer managed key.

The option that says: AWS managed key is incorrect because key policies for AWS managed keys, which are needed to control access to KMS keys, cannot be modified.

The option that says: Customer managed key in custom key store associated with an AWS CloudHSM cluster in your account is incorrect because automatic key rotation is not supported for this KMS key type.

The option that says: AWS owned key is incorrect because you cannot control the level of access for AWS owned KMS key. Also, the key rotation period for an AWS owned key is determined by the AWS service that creates and manages the KMS key. Its automatic key rotation varies depending on the AWS service.

References:
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works

Customer Master Keys (CMKs) Policy Management in AWS KMS:
https://tutorialsdojo.com/customer-master-keys-cmks-policy-management-in-aws-kms/

Working with Customer Master Keys (CMKs) Using the AWS KMS API:
https://tutorialsdojo.com/working-with-customer-master-keys-cmks-using-the-aws-kms-api/

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

Question 2

A company has an application that heavily uses AWS KMS to encrypt financial data. A Security Engineer has been instructed to ensure that communications between the company’s VPC and AWS KMS do not pass through the public Internet.

Which combination of steps is the MOST suitable solution in this scenario? (Select TWO.)

1. Modify the AWS KMS key policy to include the aws:sourceVpce condition and reference the VPC endpoint ID.
2. Replace the Internet Gateway of the VPC with an AWS Transit Gateway.
3. Set up a new VPC endpoint for AWS KMS with private DNS enabled.
4. Establish a Direct Connect connection between the VPC and AWS KMS.
5. In the AWS KMS key policy, add a new aws:sourceVpc condition and reference the VPC endpoint ID.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

References:
https://docs.aws.amazon.com/kms/latest/developerguide
https://aws.amazon.com/kms/features/
https://aws.amazon.com/kms/pricing/
https://aws.amazon.com/kms/faqs/