AWS Key Management Service (AWS KMS) is a managed service used to create and control encryption keys used to encrypt data. AWS KMS can be integrated with other AWS services like EBS, S3, DynamoDB etc.
Key Concepts of AWS KMS at a glance
Customer Master Keys
Primary resource of AWS KMS is Customer Master Keys (CMK). CMKs are either customer-managed or AWS-Managed. CMKs can be used either to protect upto 4KB data directly. Best way is to use CMK to protect dataKeys, which in-turn are used to protect actual data. CMKs never leave AWS KMS unencrypted.
CMK can be rotated once a year if its customer-managed.
Data Keys
Data keys are used to protect actual data. In envelope encryption, data Keys will be encrypted by CMK. And the encrypted data keys are used to encrypt/decrypt actual data. AWS KMS offers APIs to create data keys. While AWS KMS APIs can be used to generate, encrypt and decrypt data keys, AWS KMS will not store, manage or track your data keys. It has to be done in the application.
Envelope Encryption
AWS KMS uses envelope encryption to protect data. Envelope encryption is a practice of encrypting plain text data with a unique data key, and then data key is encrypted using key encryption key KEK). There can be multiple levels of KEKs. That is, we can choose to encrypt KEK with another KEK. But ultimately, the KEK has to be encrypted by a master key. Master key is an unencrypted(plaintext) key with which you can decrypt one or more keys.
In KMS, master key is called Customer Master Key (CMK).
Envelope Encryption offers following advantages.
- It protects data keys.
- Option to encrypt same data using multiple master keys.
Following image provides an overview of how envelope encryption works in AWS KMS.
Encryption Context
All AWS KMS cryptographic operations (encryption/decryption) accepts an optional set of key-value pairs that can contain additional contextual information about data. This set of key-value pairs is called encryption context. Encryption context used for encryption should be same for decryption of the data for the decryption to succeed. Encryption context is not secret. It can be logged and can be used for auditing and controlling access to AWS KMS API operation.Refer to this link to understand how Envelope Encryption Works.
Source: http://docs.aws.amazon.com/kms/latest/developerguide/overview.html
http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
http://docs.aws.amazon.com/kms/latest/developerguide/workflow.html
This blog gives very important info about AWS,Thanks for sharing
ReplyDeleteAWS Online Training