Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

FLASH SALE - AWS SAA, CDA, and SysOps Practice Exams at $12.99 ONLY!

AWS Key Management Service (AWS KMS)

  • A managed service that enables you to easily encrypt your data. KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.

Features

  • KMS is integrated with CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when.
  • Customer master keys (CMKs) are used to control access to data encryption keys that encrypt and decrypt your data.
  • You can choose to have KMS automatically rotate master keys created within KMS once per year without the need to re-encrypt data that has already been encrypted with your master key.
  • To help ensure that your keys and your data is highly available, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.
  • You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the Internet. When you use a VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network.
  • You can define VPC Endpoint policies, enabling you to increase the granularity of your security controls by specifying which principals can access your endpoint, which API calls they can make, and which resources they can access.

Concepts

  • Customer Master Keys (CMKs) – You can use a CMK to encrypt and decrypt up to 4 KB of data. Typically, you use CMKs to generate, encrypt, and decrypt the data keys that you use outside of KMS to encrypt your data. Master keys are 256-bits in length.
  • There are three types of CMKs:

Type of CMK

Can view

Can manage

Used only for my AWS account

Customer managed CMK

Yes

Yes

Yes

AWS managed CMK

Yes

No

Yes

AWS owned CMK

No

No

No

 

    • Customer managed CMKs are CMKs that you create, own, and manage. You have full control over these CMKs, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the CMK, and scheduling the CMKs for deletion.
    • AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that integrates with KMS. You can view the AWS managed CMKs in your account, view their key policies, and audit their use in CloudTrail logs. However, you cannot manage these CMKs or change their permissions. And, you cannot use AWS managed CMKs in cryptographic operations directly; the service that creates them uses them on your behalf.
    • AWS owned CMKs are not in your AWS account. They are part of a collection of CMKs that AWS owns and manages for use in multiple AWS accounts. AWS services can use AWS owned CMKs to protect your data. You cannot view, manage, or use AWS owned CMKs, or audit their use.
  • Data keys – Encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.
    • You can use CMKs to generate, encrypt, and decrypt data keys. However, KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.
    • Data keys can be generated at 128-bit or 256-bit lengths and encrypted under a master key you define.
  • Envelope encryption -The practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. The top-level plaintext key encryption key is known as the master key.
  • Encryption Context – All KMS cryptographic operations accept an encryption context, an optional set of key–value pairs that can contain additional contextual information about the data.
  • IT Certification Category (English)728x90
  • Key Policies – When you create a CMK, permissions that determine who can use and manage that CMK are contained in a document called the key policy.
  • Grants – A grant is an alternative to the key policy. You can use grants to give long-term access that allows AWS principals to use your customer managed CMKs.
  • Grant Tokens – When you create a grant, the permissions specified in the grant might not take effect immediately due to eventual consistency. If you need to mitigate the potential delay, use a grant token instead.
  • When you enable automatic key rotation for a customer managed CMK, KMS generates new cryptographic material for the CMK every year. KMS also saves the CMK’s older cryptographic material so it can be used to decrypt data that it encrypted.
  • An alias is an optional display name for a CMK. Each CMK can have multiple aliases, but each alias points to only one CMK. The alias name must be unique in the AWS account and region.

Importing Keys

  • A CMK contains the key material used to encrypt and decrypt data. When you create a CMK, by default AWS KMS generates the key material for that CMK. But you can create a CMK without key material and then import your own key material into that CMK.
  • When you import key material, you can specify an expiration date. When the key material expires, KMS deletes the key material and the CMK becomes unusable. You can also delete key material on demand.

Deleting Keys

  • Deleting a CMK deletes the key material and all metadata associated with the CMK and is irreversible. You can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable.
  • You can create a CloudWatch alarm that sends you a notification when a user attempts to use the CMK while it is pending deletion.
  • You can temporarily disable keys so they cannot be used by anyone.
  • KMS supports custom key stores backed by AWS CloudHSM clusters. A key store is a secure location for storing cryptographic keys.
  • You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network.

Pricing

  • Each customer master key that you create in KMS, regardless of whether you use it with KMS-generated key material or key material imported by you, costs you until you delete it.
  • For a CMK with key material generated by KMS, if you opt-in to have the CMK automatically rotated each year, each newly rotated version will raise the cost of the CMK per month.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Certified Security - Specialty Exam Study Path

Validate Your Knowledge

Question 1

A company has several financial applications hosted in AWS that use AWS Key Management Service (KMS) to manage their encryption keys. The Security Team has been tasked to ensure that all encryption keys are automatically rotated every year.

Which AWS KMS key type should the team use to satisfy this requirement?

  1. AWS managed Customer Master Key (CMK)
  2. Symmetric customer-managed CMK
  3. Customer managed CMK in custom key store associated with an AWS CloudHSM cluster in your account
  4. AWS-owned CMK

Correct Answer: 2

Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your AWS Key Management Service (AWS KMS) customer master keys (CMKs), you can create new CMKs, and then change your applications or aliases to use the new CMKs. Or, you can enable automatic key rotation for an existing customer-managed CMK.

When you enable automatic key rotation for a customer-managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK’s older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK. Key rotation changes only the CMK’s backing key, which is the cryptographic material that is used in encryption operations. The CMK is the same logical resource, regardless of whether or how many times its backing key changes.

Key rotation in AWS KMS is a cryptographic best practice that is designed to be transparent and easy to use. AWS KMS supports optional automatic key rotation only for customer-managed CMKs.

  • Backing key management. AWS KMS retains all backing keys for a CMK, even if key rotation is disabled. The backing keys are deleted only when the CMK is deleted. When you use a CMK to encrypt, AWS KMS uses the current backing key. When you use the CMK to decrypt, AWS KMS uses the backing key that was used to encrypt.
  • Enable and disable key rotation. Automatic key rotation is disabled by default on customer-managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.
  • Disabled CMKs. While a CMK is disabled, AWS KMS does not rotate it. However, the key rotation status does not change, and you cannot change it while the CMK is disabled. When the CMK is re-enabled, if the backing key is more than 365 days old, AWS KMS rotates it immediately and every 365 days thereafter. If the backing key is less than 365 days old, AWS KMS resumes the original key rotation schedule.
  • CMKs pending deletion. While a CMK is pending deletion, AWS KMS does not rotate it. The key rotation status is set to false and you cannot change it while deletion is pending. If deletion is canceled, the previous key rotation status is restored. If the backing key is more than 365 days old, AWS KMS rotates it immediately and every 365 days thereafter. If the backing key is less than 365 days old, AWS KMS resumes the original key rotation schedule.
  • AWS managed CMKs. You cannot manage key rotation for AWS managed CMKs. AWS KMS automatically rotates AWS managed CMKs every three years (1095 days).
  • AWS owned CMKs. You cannot manage key rotation for AWS owned CMKs. The key rotation strategy for an AWS owned CMK is determined by the AWS service that creates and manages the CMK.
  • Monitoring key rotation. When AWS KMS automatically rotates the key material for an AWS managed CMK or customer-managed CMK, it writes the KMS CMK Rotation event to Amazon CloudWatch Events. You can use this event to verify that the CMK was rotated.
  • Unsupported CMK types. Automatic key rotation is not supported on the following types of CMKs, but you can rotate these CMKs manually.

1. Asymmetric CMKs
2. CMKs in custom key stores
3. CMKs that have imported key material

Hence, the correct answer is: Symmetric customer-managed CMK.

The option that says: AWS managed Customer Master Key (CMK) is incorrect because you cannot manage key rotation for AWS managed CMKs. AWS KMS automatically rotates AWS managed CMKs every three years (1095 days) and not annually.

The option that says: Customer managed CMK in custom key store associated with an AWS CloudHSM cluster in your account is incorrect because automatic key rotation is not supported for this CMK type.

The option that says: AWS-owned CMK is incorrect because you cannot control the key rotation of an AWS owned CMK. The key rotation strategy for an AWS owned CMK is determined by the AWS service that creates and manages the CMK. Its automatic key rotation varies depending on the AWS service.

References:
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works

Customer Master Keys (CMKs) Policy Management in AWS KMS:
https://tutorialsdojo.com/customer-master-keys-cmks-policy-management-in-aws-kms/

Working with Customer Master Keys (CMKs) Using the AWS KMS API:
https://tutorialsdojo.com/working-with-customer-master-keys-cmks-using-the-aws-kms-api/

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

Question 2

A company has an application that heavily uses AWS KMS to encrypt financial data. A Security Engineer has been instructed to ensure that communications between the company’s VPC and AWS KMS do not pass through the public Internet.

Tutorials Dojo Study Guide and Cheatsheet

Which combination of steps is the MOST suitable solution in this scenario? (Select TWO.)

  1. Modify the AWS KMS key policy to include the aws:sourceVpce condition and reference the VPC endpoint ID.
  2. Replace the Internet Gateway of the VPC with an AWS Transit Gateway.
  3. Set up a new VPC endpoint for AWS KMS with private DNS enabled.
  4. Establish a Direct Connect connection between the VPC and AWS KMS.
  5. In the AWS KMS key policy, add a new aws:sourceVpc condition and reference the VPC endpoint ID.

Correct Answers: 1,3 

You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network. AWS KMS supports Amazon Virtual Private Cloud (Amazon VPC) interface endpoints that are powered by AWS PrivateLink.

Each VPC endpoint is represented by one or more Elastic Network Interfaces (ENIs) with private IP addresses in your VPC subnets. The VPC interface endpoint connects your VPC directly to AWS KMS without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. The instances in your VPC do not need public IP addresses to communicate with AWS KMS.

If you use the default domain name servers (AmazonProvidedDNS) and enable private DNS hostnames for your VPC endpoint, you do not need to specify the endpoint URL. AWS populates your VPC name server with private zone data, so the public KMS endpoint (https://kms.<region>.amazonaws.com) resolves to your private VPC endpoint. To enable this feature when using your own name servers, forward requests for the KMS domain to the VPC name server.

You can also use AWS CloudTrail logs to audit your use of KMS keys through the VPC endpoint. And you can use the conditions in IAM and key policies to deny access to any request that does not come from a specified VPC or VPC endpoint.

Hence, the correct answers are:

  • Modify the AWS KMS key policy to include the aws:sourceVpce condition and reference the VPC endpoint ID.
  • Set up a new VPC endpoint for AWS KMS with private DNS enabled.

The option that says: Replace the Internet Gateway of the VPC with an AWS Transit Gateway is incorrect because AWS Transit Gateway is simply a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway.

The option that says: Establish a Direct Connect connection between the VPC and AWS KMS is incorrect because Direct Connect is primarily used to connect your on-premises data center and your VPC. This service is not suitable for integrating AWS KMS and your VPC.

The option that says: In the AWS KMS key policy, add a new aws:sourceVpc condition and reference the VPC endpoint ID is incorrect because the aws:sourceVpc condition is more suitable if you already have multiple VPC endpoints configured in the same VPC. This means that you still have to use VPC Endpoints in order for you to use this condition. Moreover, if you use the aws:sourceVpc condition, you have to specify the VPC ID and not the VPC endpoint ID.

References:
https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

References:
https://docs.aws.amazon.com/kms/latest/developerguide
https://aws.amazon.com/kms/features/
https://aws.amazon.com/kms/pricing/
https://aws.amazon.com/kms/faqs/

5-DAY FLASH SALE! Big Discounts on our SAA, CDA, and SysOps Practice Exams

Pass your AWS and Azure Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers
error: Content is protected !!