Skip to content

KMS Basics

  • Regional Public Service
  • Create , Store and Manage keys
  • Keys never leave the product
  • KMS is compatible with FIPS 140-2(L2).
  • KMS keys are managed by KMS. They were known as Customer Master Keys or CMK
  • KMS keys are containers to actual cryptographic key which is physical key material
  • KMS keys consist of ID, date, policy , description, stateand the physical key material
  • KMS keys can be used to encrypt data upto 4KB size
  • Nothing in KMS is saved unencrypted on disk
  • Any data once encrypted, AWS does not need key to decrypt. This is form pf cypher text of encrypted data
  • KMS keys are isolated in the regionand never leave region by default
  • Keys can be AWS Owner or Customer Owned
  • Customer Owned keys can be AWS Managed or Customer Managed
  • Key rotation can not be disabled or customized for AWS managed key
  • When key is rotated , data encrypted with old keys can be decrypted
  • Key policies are resource policies
  • Unlike other services KMS has to be explicitly told that keys trust the AWS account they are contained in.

Data Encryption Keys ( DEKs)

  • These are useful to overcome the 4kb size limit
  • They are generated using KMS by generate key operation
  • They are linked to the KMS but KMS does not save DEKs
  • When DEK is generated, AWS provides a plain textand a cypher text version of the key
  • Data is encrypted using plain text version of the key. Then the plain text key is discarded
  • Encrypted(cypher) key is stored along with encrypted data
  • S3 generates new DEK for every object