AWS KMS which stands for AWS Key Management Service is an aws managed service which is responsible for creating and managing encryption keys used to encrypt the user data. AWS KMS is highly available and a secure service.
Since KMS is used for Encryption, let’s have an idea about Encryption first.
What is Encryption :
Encyption is the process of converting a plain text to a format which only can be accessed by authoriezed parties and can’t access for those who are not authorized. Decyption is the process of converting an encypted text back to a human readable plaintext.
What is a ciphertext :
ciphertext is the output after encyption. Simply ciphertext is the end result after encypting a plaintext.
What is a secret key in encryption process :
The key which is used to encrypt the plaintext and again which is used to decrypt the encypted file.
There are two types of encyption
- Symmetric encyption
- Asymmetric encyption
In symmetric encyption, the same key is used for encyption and decryption while in asymmetric encyption, one key is used for encryption and another key is used to decrypt the encypted file, which are the secret key for the decryption and the public key for the encryption.
Features of AWS KMS
Centralized key management
AWS KMS is presenting as a single place where you can create, manage,rotate,import encyption keys on your need and also can manage permissions from the management console.
AWS Services integration
KMS is integrated in all most all of the aws services to make the key encyption part for your stoed data very easy. Some main aws services integrated with AWS KMS are Amazon EBS, Amazon S3, Amazon RDS ( Relational Database Service ) like services.
If you need AWS KMS has the ability to rotate your master keys once a year, then you don’t need to re encrypt the data which was already encypted.
A Regional service
AWS KMS is a regional based service. The encyption keys in one region is not available in another region. Also note that the keys generated in one region can’t be transfered to another region.
Custom key store
AWS provides an additional feature in KMS to store your created encyption keys as a store.
AWS KMS Terminology
- Master key
A master key in AWS KMS is a key which only can use inside of KMS and it will never leave AWS. We use this master keys to encypt our data keys. We will discuss about data keys in the middle of this article. So the encypted data key can be stored by the service or the application. There are two types of master keys in kms.a.) AWS managed master keys
b.) Customer managed master keys
In AWS managed master keys, AWS is managing the master keys and customer managed master keys are managed by the own customers. The benefits of using your own master keys are ( customer managed master keys ) there are so many options which are not available in aws managed keys. In AWS managed keys we only can generate the master key and also it can’t be deleted. Once created the master key, it is there all the time, it will never leave.
The difference in between aws managed master keys and customer managed master keys as below.
AWS managed master keys are for the lifetime ( can’t be deleted ) while customer managed master keys can be deleted when no usable.
AWS managed master keys have limited customization and in customer managed master keys can be customized with different options.
In customer managed keys, we can give administrative access to different parties like users, roles and also we can define who can use this key same as like users and roles.
In customer managed keys, we have an option to allow the keys to be used by other aws accounts and also can enable/disable automatic key rotation.
Customer managed keys can be deleted by giving a key deletion period ( min -7 days )
AWS managed master keys are always visible like aws/ebs, aws/rds, aws/acm, aws/sns like that. Which means the master key alias is created starting from aws and later the related aws service.
But in customer managed keys you can give any alias.
- Data Key
Data key is the one who doing the encyption part in your data. The master keys are creating a data key for encyption process. So once a aws service requests aws kms to encypt, the master key generates a data key and do the encyption.
How AWS Key Management Service ( KMS ) encyption works
Think about the scenario in above image.
You have a plaintext. You need to encypt this. First you have to create a master key ( may be an aws manaed or a customer managed ). From the master key the data key will be created. Remember when generating this data key, there will be two forms of that data key. One is the plain format of the data key and other one is the encypted data key. In the encryption process, the plain format of the data key would be used and after the encyption that plain format of the data key would be deleted. Also after the encyption is over the encypted format of the data key will be stored along with our encypted file.
When decrypting, firstly the encypted data key will be decrypted by using the master key in KMS. So now we have the plaintext of our data key. Later on we can decrypt our encypted text file by using the decrypted data key. So to decrypt our file, the master key is needed. Without the master key, no one can see your data.
So this article covers most of the basics in AWS Key management service ( KMS ).
You can check AWS KMS frequently asked questions from this link.