What is AWS Key Management Service?

AWS Key Management Service (or KMS for short) is the service you use to securely store your encryption keys in AWS. If you need data encryption on your AWS resources, such as EBS volumes or RDS databases, you can use AWS KMS to simplify the process for you. You start using the service by requesting the creation of a KMS key. By default, AWS KMS creates the key material for your KMS key. You also have the option of importing your own keys to AWS if you wish to. Note that during key rotation, if you imported your own key, you will have to manage the rotation yourself.

Users and developers who manage security can interact with AWS KMS programmatically via the CLI or SDK. These utilize the AWS KMS API for all of the transactions. You also do not use your standard username and password when interacting with the KMS API, so be sure to enter your access keys and secret access keys instead. Once you have configured your AWS profile in your local machine, you can start executing API calls. If you encounter any errors during API calls, check if your IAM User has been granted the necessary permissions to perform that action.

List of Commonly Used AWS KMS APIs

Below are some of the KMS API commands that you should know of:

• Create, describe, list, enable, and disable KMS keys

To create a KMS key, run the CreateKey operation. By default, this command creates a symmetric encryption KMS key for you. Also, if the key is created via API, only the root user of the AWS account who owns this key has full access.

You can also create an asymmetric KMS key if that is what you need. Here, you must specify the KeySpec parameter, which determines the encryption algorithm that KMS will use. Also, you must specify a KeyUsage value of ENCRYPT_DECRYPT or SIGN_VERIFY. You cannot change these properties after the KMS key is created.

You can also specify some additional parameters during key creation

• • BypassPolicyLockoutSafetyCheck (bool) – Indicates whether to bypass the key policy lockout safety check.
  • CustomKeyStoreId (string) – Creates the KMS key in the specified custom key store and the key material in its associated AWS CloudHSM cluster.
  • Description (string)
  • Origin (string) – The source of the key material for the KMS key. You cannot change the origin after you create the KMS. The default is AWS_KMS.
  • Policy (string) – The key policy to attach to the KMS key.
  • Tags (dict)

To list all the KMS keys under your account, run the ListKeys operation.

To see the metadata and other details of a specific key, run the DescribeKey operation and enter the key id of interest.

If you want to set which keys should and should not be used, run the EnableKey and DisableKey operations and enter the key id of interest.

• Encrypt, decrypt, and re-encrypt content

To encrypt plaintext into ciphertext using your KMS key, run Encrypt command. Enter the key id you’d like to use and the data you’d like to encrypt. After running it, the API will return your ciphertext in blob format, the key id used and the encryption algorithm used.

You can specify additional parameters during encryption

• • EncryptionAlgorithm (SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256)
  • EncryptionContext (dict)

To decrypt your ciphertext, run the Decrypt command and enter your ciphertext blob. If you used an asymmetric KMS key to encrypt this text, then you need to specify a key id parameter. You should also specify the encryption algorithm and encryption context if the defaults were not used. After running it, the API will return your plaintext, key id used for decryption, and the encryption algorithm used.

You can specify the following additional parameters during decryption

• • EncryptionAlgorithm (SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256)
  • EncryptionContext (dict)

If you will be rotating keys or changing encryption algorithms, run the ReEncrypt command to re-encrypt your data to a new KMS key or algorithm. If you used an asymmetric KMS key to encrypt your plaintext, you must specify the source key id used during encryption. If you used a non-default encryption algorithm and an encryption context, be sure to indicate them in the API call.

You can specify the following additional parameters during re-encryption

• • DestinationEncryptionAlgorithm (SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256)
  • DestinationEncryptionContext (dict)
  • SourceEncryptionAlgorithm (SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256)
  • SourceEncryptionContext (dict)
  • SourceKeyId (string)

• Set, list, and retrieve key policies

Key policies are the primary way to control access to KMS keys in AWS KMS. To add a key policy to a KMS key, run the PutKeyPolicy command. This API requires you to specify the key id to which the policy will be applied to, a policy name with “default” as the value and the KMS policy itself.

Example key_policy.json

To list down all the key policies attached to a KMS key, run the ListKeyPolicies command. You must supply the key id of the KMS key in the API call. The returned value will be a list of policy names.

To view the contents of a policy, run the GetKeyPolicy command. You must supply the key id of the KMS key and the policy name in the API call. 

Final thoughts

AWS KMS key enable you to have control over your encryption needs in AWS. If you have applications that use AWS KMS, be sure to check the AWS SDK documentation for the appropriate syntax for your application’s programming language. And thus, it is a good practice to always encrypt any valuable data you have at rest and in transit, and AWS KMS helps you in doing just that.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Sources:

https://docs.aws.amazon.com/kms/latest/developerguide/programming-keys.html
https://docs.aws.amazon.com/kms/latest/APIReference/API_Operations.html
https://docs.aws.amazon.com/cli/latest/reference/kms/
https://docs.aws.amazon.com/kms/latest/developerguide/asymm-create-key.html#create-asymmetric-keys-api