Beta

AWS Certified SysOps Administrator - Associate

Domain 4 Security and Compliance

Key Management Service KMS

Welcome to this comprehensive lesson on the Key Management Service (KMS). In this guide, we explore both the software-based and hardware-based (CloudHSM) versions of KMS, highlighting their features, benefits, and integrations with AWS services.

Why Do We Need Encryption?

Encryption is vital for protecting data from breaches, man-in-the-middle attacks, and unauthorized access. By encrypting sensitive information, even if data is compromised, it remains unreadable to malicious actors. This layered defense makes unauthorized decryption practically impossible.

The image illustrates the need for encryption by showing a client, server, and unauthorized access attempt, highlighting that encrypted data cannot be read by unauthorized users.

When discussing encryption in AWS, we refer to the Key Management Service. KMS securely and reliably manages encryption keys for AWS services and applications. As a managed service, it handles critical cryptographic operations such as key creation, rotation, deletion, expiration, signing, and verification.

The image illustrates a KMS (Key Management Service) concept with icons representing the creation of KMS keys and cryptographic operations.

Key Metadata and Integration

Each key managed by KMS includes crucial metadata such as:

  • Key ID and Amazon Resource Name (ARN)
  • Cryptographic material (key material)
  • State indicators (enabled, disabled, scheduled for deletion, etc.)
  • Permissions similar to IAM roles
  • Tags, creation date, key usage, key specifications, and rotation status

Note

While memorizing these metadata details is not necessary, understanding them is important for secure key management at the SysOps level.

The image is a diagram titled "Keys Metadata," listing various attributes related to key management, such as Key ID, ARN, Creation Date, Key Usage, and more, with a key icon in the center.

KMS integrates with nearly every AWS service that stores data at rest, including Amazon S3, EBS, RDS, EC2, SQS, Glue, ECS, EKS, and EFS. By 2025, almost every AWS service is expected to support some form of encryption. Moreover, KMS works seamlessly with CloudTrail and CloudWatch, allowing you to monitor key management operations, track request counts, analyze latency metrics, and even create custom dashboards.

The image illustrates the integration of AWS Key Management Service (KMS) with various AWS services, including Amazon S3, Amazon EBS, Amazon RDS, and other AWS services.

The image illustrates a KMS Monitoring setup, showing a key management service connected to AWS CloudTrail and Amazon CloudWatch.

Types of Keys in KMS

KMS supports multiple key types designed for various encryption needs:

  • Customer Managed Keys (CMKs):
    CMKs offer full flexibility and control. You can create, rotate, delete, and set permissions for these keys. They are available in both symmetric and asymmetric variants:

    • Symmetric keys: Use a single key for both encryption and decryption.
    • Asymmetric keys: Use a public-private key pair; the public key is used for signature verification while the private key handles decryption and signing.

  • Data Keys:
    Data keys are used to encrypt and decrypt large volumes of data. Typically, a data key is generated and then protected (encrypted) by a CMK through envelope encryption. In this method, your data is secured with a data key, which is itself encrypted by a CMK, ensuring that even if stored alongside the encrypted data, the data key is protected.

The image illustrates a Key Management Service (KMS) setup, showing a user interacting with both Customer Managed Keys (CMK) and AWS Managed Keys for services like SQS, S3, and EBS.

Envelope Encryption Process

Envelope encryption involves generating both a plaintext data key and an encrypted data key. The process is as follows:

  1. The CMK encrypts the plaintext data key.
  2. The plaintext data key is used to encrypt your data.
  3. The encrypted data key is stored alongside the encrypted data.
  4. To decrypt the data, the encrypted data key is first decrypted using the CMK, and then the plaintext data key decrypts the data.

The image illustrates the process of encryption and decryption using symmetric and asymmetric Customer Master Keys (CMKs), showing the flow of data and keys.

The image illustrates the process of creating a symmetric data key using a KMS key, showing the transformation from a plaintext data key to an encrypted data key through an encryption algorithm.

The image illustrates the process of encrypting data using a data key, showing plaintext data being converted into ciphertext with an encryption algorithm and stored in an S3 bucket along with the encrypted data key.

For asymmetric keys, the encryption process uses a public key for encrypting data or verifying signatures, while the private key—kept confidential—is used for decryption or signing.

Software KMS Features

The software-based KMS service offers the following features:

  • Centralized key management
  • Tight integration with AWS services
  • Customer-controlled key management, including scheduled and automated key rotations
  • Detailed audit and compliance capabilities through integration with CloudTrail and CloudWatch

The image lists five features: Centralized Key Management, Integrated with AWS Services, Customer Controlled, Automated Key Rotation, and Audit and Compliance.

Important

Please note that the software version of KMS is not FIPS 140 compliant. For environments requiring stricter compliance, consider using the hardware alternative.

CloudHSM: The Hardware Version of KMS

For environments that must adhere to stringent security standards, such as FIPS 140-2, AWS provides CloudHSM—a hardware-based version of KMS. CloudHSM leverages dedicated hardware security modules (HSMs) for heightened cryptographic security. While offering similar core functionalities as KMS, CloudHSM ensures that cryptographic keys remain within secure, dedicated hardware.

Key characteristics of CloudHSM include:

  • Key operations executed on dedicated hardware modules.
  • Clustering of multiple HSMs for high availability and load balancing.
  • Keys never leave the HSM cluster, preserving maximum security.
  • Seamless integration with AWS services, while customers maintain complete control over their keys.

The image illustrates a CloudHSM system where data is sent to a Hardware Security Module (HSM) for encryption and decryption, with keys securely stored on the HSM.

The image is a diagram illustrating the architecture of AWS CloudHSM, showing an HSM cluster within a VPC, a user managing the HSM, and an EC2 instance running a CloudHSM client and application.

The image lists five features: dedicated hardware security, full control over keys, scalability and resilience, integration with AWS services, and regulatory compliance. Each feature is represented with an icon and a number.

Summary

AWS provides two primary solutions for key management:

  • Software-based KMS: Delivers centralized management, flexibility, and seamless integration with AWS services.
  • CloudHSM (Hardware KMS): Meets high compliance and security requirements by using dedicated HSMs to protect cryptographic keys.

Both solutions support the generation and management of customer-managed keys and data keys, as well as both symmetric and asymmetric encryption methods, ensuring your data remains secure throughout its lifecycle.

Thank you for reading this lesson on KMS. We trust you found this discussion clear and informative.

For more detailed information, explore AWS KMS Documentation.

Watch Video

Watch video content

Previous
Encryption in Transit Options for AWS Services Overview
Next
KMS Around Encryption Keys Best Practices