{"id":70285,"date":"2019-02-19T06:03:06","date_gmt":"2019-02-19T06:03:06","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=70285"},"modified":"2024-10-04T14:23:54","modified_gmt":"2024-10-04T08:53:54","slug":"aws-kms","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/aws-kms\/","title":{"rendered":"An Introduction to AWS Key Management Service (AWS KMS)"},"content":{"rendered":"<p style=\"text-align: justify;\">Hope your <a href=\"https:\/\/www.whizlabs.com\/blog\/aws-certified-solutions-architect-associate-guide\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS CSAA exam preparation<\/a> is going well. To help you with your preparation, here we bring another topic &#8211; AWS Key Management Service. This topic comes under &#8220;Specify Secure Applications and Architectures&#8221; domain of the exam. While preparing for the AWS Certified Solutions Architect Associate exam you need to know an overview of AWS KMS.<\/p>\n<p style=\"text-align: justify;\">So, here in this article, we&#8217;ll cover an introduction to the AWS Key Management Service.<\/p>\n<blockquote><p>Try Now: <a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/free-test\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Certified Solutions Architect Associate Free Test<\/a><\/p><\/blockquote>\n<h2 style=\"text-align: justify;\">What is the AWS\u00a0Key Management Service?<\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">AWS KMS is a managed service that is integrated with various other AWS Services. You can use it in your applications to create, store and control encryption keys to encrypt your data. KMS allows you to gain more control for access to the data that you encrypt. KMS assures 99.99999999999% durability of the keys. <\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">It also provides high availability as keys are stored in multiple AZ\u2019s within a region. KMS is integrated with the CloudTrail. You can audit, for what purpose, by whom and when the key was used which helps to meet compliance and regulatory needs.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Some Noteworthy points you should know about AWS Key Management Service: <\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Even though KMS is a global service but keys are regional that means you can\u2019t send keys outside the region in which they are created.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">How does AWS KMS protect the confidentiality and integrity of your keys? \u00a0KMS uses FIPS 140-2 validated HSMs (Hardware Security Modules).<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Whether you are writing your own application or using other AWS services, you can control who can access your master keys and gain access to your data.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">When you are importing keys in KMS make sure to maintain a copy of those keys so that you can re-import them anytime.<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/online-course\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-69738 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/01\/AWS_Certified_Solutions_Architect_Associate_Online_Course-2.gif\" alt=\"AWS CSAA Online Course\" width=\"728\" height=\"90\" \/><\/a><\/p>\n<h3 style=\"text-align: justify;\">How does AWS KMS Encrypt Your Data?<\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Well, actually it doesn\u2019t. The primary resource of KMS is customer master key (CMK) which can encrypt or decrypt data up to 4096 bytes. We generally have a lot of data be it S3, EBS, RDS etc. So, we can\u2019t use CMK\u2019s for that. Therefore, we use KMS CMK keys to generate, encrypt and decrypt data keys which are used outside of KMS to encrypt large amounts of data. It is these data keys created by CMK\u2019s that do the encryption\/decryption. <\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">You can create, use or manage the CMK\u2019s through AWS KMS. They never leave AWS KMS FIPS validated hardware security modules. This is different for data keys as AWS KMS does not store or manage or perform any kind of cryptographic operation with your data keys. You must use them outside of AWS KMS. You can use OpenSSL or other cryptographic libraries like AWS Encryption SDK for that.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">To create a data key call GenerateData key operation. AWS KMS then uses the specified CMK to generate data keys. As you can see from the below figure it generates one plaintext data key and an encrypted data key.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-70289 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-1.png\" alt=\"AWS KMS\" width=\"486\" height=\"545\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-1.png 486w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-1-268x300.png 268w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-1-375x420.png 375w\" sizes=\"(max-width: 486px) 100vw, 486px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">This plaintext data key is used to encrypt the data, then the plaintext key is removed ASAP from the memory so that data doesn\u2019t get compromised. The encrypted key is stored along with the encrypted data to use it during decryption.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-70290 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-2.png\" alt=\"Key Management Service\" width=\"538\" height=\"322\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-2.png 538w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-2-300x180.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-2-537x322.png 537w\" sizes=\"(max-width: 538px) 100vw, 538px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Now the encryption part is done, for decryption you need to use decrypt operation. AWS KMS uses the customer master key to decrypt the encrypted data key stored along with the data. It returns the plaintext key which is then used to decrypt the data again this plaintext key is removed from the memory.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">The following diagram depicts this:<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-70291 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-3.png\" alt=\"AWS KMS\" width=\"668\" height=\"409\" \/><\/p>\n<p>Image Courtesy: <a href=\"https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html<\/a><\/p>\n<h3 style=\"text-align: justify;\">AWS Managed CMK\u2019s vs Customer Managed CMK\u2019s<\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">When you want an AWS service to encrypt data on your behalf you can specify CMK that you would like to use to generate, encrypt or decrypt data keys. These are customer managed CMK\u2019s. Basically, you have full control over them like you can enable\/disable\/rotate master keys, create IAM policies to restrict who can access the keys, grant permissions for other accounts and services to use these keys.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">If you don\u2019t specify a CMK and you are trying to create an encrypted resource for the first time within that service then that AWS Service will create an AWS managed CMK. In that case, the access control and key policies are managed by AWS itself. Even though you don\u2019t have any direct control over the keys you can still track AWS managed keys and usage of keys in CloudTrail.<\/span><\/p>\n<p><strong>Note:<\/strong> <a href=\"https:\/\/www.whizlabs.com\/aws-certified-machine-learning-specialty\/\" target=\"_blank\" rel=\"noopener\">AWS Machine Learning certification<\/a> is one of the best among AWS certifications for machine learning professionals. Learn about <a href=\"https:\/\/www.whizlabs.com\/blog\/top-aws-machine-learning-tools\/\" target=\"_blank\" rel=\"noopener\">AWS ML<\/a> and get ahead towards the certification preparation with the AWS Certified Machine Learning Speciality free test.<\/p>\n<h4 style=\"text-align: justify;\">Envelope Encryption<\/h4>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">As discussed above CMK\u2019s can be used to generate, encrypt or decrypt data keys. Envelope encryption includes encrypting the data with plaintext data key then encrypting the plaintext data with another key which is a customer master key (CMK).<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-70292 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS-KMS-4.png\" alt=\"Envelope Encryption\" width=\"618\" height=\"187\" \/><\/p>\n<h3>Final Words<\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Key Management Service (KMS) along with Server-side Encryption in S3 is one of the most important topics for CSAA certification exam. In case you want to understand how KMS integrates with S3 please refer to our previous blog on <a href=\"https:\/\/www.whizlabs.com\/blog\/s3-server-side-encryption\/\" target=\"_blank\" rel=\"noopener noreferrer\">S3 Server-Side Encryption<\/a>. Hope this article has helped you in your AWS CSAA exam preparation and also it is beneficial for pursuing <a href=\"https:\/\/www.whizlabs.com\/aws-developer-associate\/\" target=\"_blank\" rel=\"noopener\">AWS Certified Developer Associate Certification<\/a><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">You can also take the Whizlabs <a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/online-course\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS CSAA Online Course<\/a> to prepare for the AWS Certified Solutions Architect Associate exam. Also, you can take <a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/practice-tests\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS CSAA Practice tests<\/a> to check your current level of preparation. After that, we also avails AWS Professional courses under <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;aws solution architect&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:14337,&quot;3&quot;:{&quot;1&quot;:1},&quot;14&quot;:{&quot;1&quot;:3,&quot;3&quot;:1},&quot;15&quot;:&quot;Calibri&quot;,&quot;16&quot;:11}\"><a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-professional\/\" target=\"_blank\" rel=\"noopener\">AWS Solution Architect<\/a> in order to expand your career. <\/span>So, join us today and prepare yourself to pass the AWS Certified Solutions Architect Associate (AWS CSAA) exam. For more help we also provide complete guide of <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;aws solution architect associate&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:14337,&quot;3&quot;:{&quot;1&quot;:1},&quot;14&quot;:{&quot;1&quot;:3,&quot;3&quot;:1},&quot;15&quot;:&quot;Calibri&quot;,&quot;16&quot;:11}\"><a href=\"https:\/\/www.whizlabs.com\/blog\/aws-certified-solutions-architect-associate-guide\/\" target=\"_blank\" rel=\"noopener\">AWS Solution Architect Associate<\/a> certification.<\/span><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Have any query regarding AWS KMS? Just write in the comment section below and we&#8217;ll be happy to respond. You can also raise your query in <a href=\"http:\/\/ask.whizlabs.com\/c\/aws\" target=\"_blank\" rel=\"noopener noreferrer\">Whizlabs Forum<\/a> to get it resolved by the industry experts.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hope your AWS CSAA exam preparation is going well. To help you with your preparation, here we bring another topic &#8211; AWS Key Management Service. This topic comes under &#8220;Specify Secure Applications and Architectures&#8221; domain of the exam. While preparing for the AWS Certified Solutions Architect Associate exam you need to know an overview of AWS KMS. So, here in this article, we&#8217;ll cover an introduction to the AWS Key Management Service. Try Now: AWS Certified Solutions Architect Associate Free Test What is the AWS\u00a0Key Management Service? AWS KMS is a managed service that is integrated with various other AWS [&hellip;]<\/p>\n","protected":false},"author":169,"featured_media":70308,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[237,300,1711,1729,1730],"class_list":["post-70285","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","tag-aws-certified-solutions-architect-associate","tag-aws-solution-architect","tag-csaa","tag-key-management-service","tag-kms"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",600,315,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS-150x150.png",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS-300x158.png",300,158,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",600,315,false],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",600,315,false],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",600,315,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",600,315,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",24,13,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",48,25,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",96,50,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",150,79,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",300,158,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS-250x250.png",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",600,315,false],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",96,50,false],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/AWS_KMS.png",150,79,false]},"uagb_author_info":{"display_name":"Girdharee Saran","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/girdharee\/"},"uagb_comment_info":44,"uagb_excerpt":"Hope your AWS CSAA exam preparation is going well. To help you with your preparation, here we bring another topic &#8211; AWS Key Management Service. This topic comes under &#8220;Specify Secure Applications and Architectures&#8221; domain of the exam. While preparing for the AWS Certified Solutions Architect Associate exam you need to know an overview of&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/70285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/169"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=70285"}],"version-history":[{"count":9,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/70285\/revisions"}],"predecessor-version":[{"id":97705,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/70285\/revisions\/97705"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/70308"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=70285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=70285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=70285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}