AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
AWS KMS is a managed service that is integrated with various other AWS Services. You can use it in your applications to create, store and control encryption keys to encrypt your data. KMS allows you to gain more control for access to the data that you encrypt. KMS assures 99.99999999999% durability of the keys.
It also provides high availability as keys are stored in multiple AZ’s within a region. KMS is integrated with the CloudTrail. You can audit, for what purpose, by whom and when the key was used which helps to meet compliance and regulatory needs.
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Amazon KMS is a managed service that enables you to easily create and control the keys used for cryptographic operations. The service provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data within your own applications or control the encryption of data across AWS services.
- Even though KMS is a global service but keys are regional that means you can’t send keys outside the region in which they are created.
- How does AWS KMS protect the confidentiality and integrity of your keys? KMS uses FIPS 140-2 validated HSMs (Hardware Security Modules).
- Whether you are writing your own application or using other AWS services, you can control who can access your master keys and gain access to your data.
- When you are importing keys in KMS make sure to maintain a copy of those keys so that you can re-import them anytime.
- KMS stores Customer Master Keys(CMK) which is a logical representation of a key.
- Key can be generated by KMS or imported.
- The encrypted data keys are stored with the data
- CMK never leaves KMS and never leaves a region
- CMK can encrypt or decrypt data up to 4KB in size.
Advantage of AWS KMS:
We can use IAM Policies for KMS access
AWS Services (RDS, S3, DynamoDB, EBS…) integrated directly with KMS
It uses FIPS 140–2 compliant hardware module to manage access to key material.
Integrated fully with CloudTrail for auditing function
Features AWS KMS:
You can perform the following key management functions:
- Create symmetric and asymmetric keys where the key material is only ever used within the service
- Create symmetric keys where the key material is generated and used within a custom key store under your control*
- Import your own symmetric key material for use within the service
- Create both symmetric and asymmetric data key pairs for local use within your applications
- Define which IAM users and roles can manage keys
- Define which IAM users and roles can use keys to encrypt and decrypt data
- Choose to have keys that were generated by the service to be automatically rotated on an annual basis
- Temporarily disable keys so they cannot be used by anyone
- Re-enable disabled keys
- Schedule the deletion of keys that you no longer use
- Audit use of keys by inspecting logs in AWS CloudTrail
- The use of custom key stores requires CloudHSM resources to be available in your account.
Benefits of AWS KMS:
1. Fully managed
You control access to your encrypted data by defining permissions to use keys while AWS KMS enforces your permissions and handles the durability and physical security of your keys.
2. Centralized key management:
AWS KMS presents a single control point to manage keys and define policies consistently across integrated AWS services and your own applications. You can easily create, import, rotate, delete, and manage permissions on keys from the AWS Management Console or by using the AWS SDK or CLI.
3. Manage encryption for AWS services
AWS KMS is integrated with AWS services to simplify using your keys to encrypt data across your AWS workloads. You choose the level of access control that you need, including the ability to share encrypted resources between accounts and services. KMS logs all use of keys to AWS CloudTrail to give you an independent view of who accessed your encrypted data, including AWS services using them on your behalf.
4. Encrypt data in your applications
AWS KMS is integrated with the AWS Encryption SDK to enable you to used KMS-protected data encryption keys to encrypt locally within your applications. Using simple APIs you can also build encryption and key management into your own applications wherever they run.
5. Digitally sign data
AWS KMS enables you to perform digital signing operations using asymmetric key pairs to ensure the integrity of your data. Recipients of digitally signed data can verify the signatures whether they have an AWS account or not.
6. Low cost
There is no commitment and no upfront charges to use AWS KMS. You only pay US $1/month to store any key that you create. AWS managed keys that are created on your behalf by AWS services are free to store. You are charged per-request when you use or manage your keys beyond the free tier.
AWS KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to generate and protect keys. Your keys are only used inside these devices and can never leave them unencrypted. KMS keys are never shared outside the AWS region in which they were created.
The security and quality controls in AWS KMS have been certified under multiple compliance schemes to simplify your own compliance obligations. AWS KMS provides the option to store your keys in single-tenant HSMs in AWS CloudHSM instances that you control.
9. Built-in auditing:
AWS KMS is integrated with AWS CloudTrail to record all API requests, including key management actions and usage of your keys. Logging API requests helps you manage risk, meet compliance requirements and conduct forensic analysis.
Amazon Web Service – AWS Tutorial
Top 13 Reasons to Why Learn AWS in 2022
Amazon DynamoDB – Benefits, Consistency Model
Amazon CloudWatch – Concepts, Advantages, Benefits and Alarms
What is AWS CloudTrail ? – AWS CloudTrail