KMS
If you’ve just landed here, we’re doing a “Become a Cloud Architect” Unicorn Workshop by building a Unicorn Pursuit Web App step by step, and you’re more then welcome to join!
About KMS
KMS is Key Management as a Amazon Service. KMS uses HSMs to protect security and integrity of keys. KMS is used to encrypt data to help protect against improper access.
KSM uses symmetric encryption. Ciphertext is an encrypted plain text. A customer managed CMKs is created and assigned to resources that support using it for encryption, for example SQS and CloudWatch Logs. There are:
- CMK, or Customer Master Key, with an ALIAS, is a TOP of hierarchy. Created in IAM Service, and assign to Roles.
- CMK is used to encrypt regular keys.
Have in mind that the Keys are generated from IAM Service, under “Encryption”/ KEYS ARE REGIONAL!!!
The most useful AWS CLI commands, also available via API, are:
aws kms encrypt- re-enctypt with a customer master key:
re-encrypt aws kms decryptaws kms enable-key-rotation
KMS Envelope Encryption: a way to encrypt the Envelope Key using Master Key. We basically encrypt the key that encrypts our data. So:
- Customer Master Key is used to decrypt Data Key
- Envelope Key is used to decrypt the data
Code
Deep Dive
Where to find more info
Feedback
Was this page helpful?
Awesome! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.