Tuesday, October 14, 2025

AWS Key Management Service (KMS) | Deep Dive

Intro:

A deep dive into AWS Key Management Service (KMS) — one of the most critical AWS security and encryption services.

 Scope:

  •        Overview: AWS KMS,
  •        Core Concepts,
  •        How AWS KMS Works (Encryption Workflow),
  •        KMS Integration with AWS Services,
  •        KMS Access Control,
  •        AWS KMS Architecture Diagram,
  •        Key Security Considerations and Compliance,
  •        AWS KMS Pricing,
  •        Advanced Features of KMS,
  •        KMS Key Lifecycle

1. Overview: AWS KMS,

AWS Key Management Service (KMS) is a fully managed encryption and key management service that allows twtech to:

  •         Create, store, and manage cryptographic keys.
  •         Control how keys are used across AWS services and twtech own applications.
  •         Integrate encryption seamlessly with AWS services (like S3, EBS, RDS, DynamoDB, Lambda, and more).

2. Core Concepts

Concept

Description

CMK / KMS Key

A logical representation of a master key. It includes metadata, key ID, policy, and key material.

Key Material

The actual cryptographic material used for encryption/decryption.

Customer Managed Key (CMK)

Created and managed by twtech. twtech defines key policies, IAM permissions, rotation, etc.

AWS Managed Key

Automatically created and managed by AWS for each service (e.g., aws/s3, aws/ebs).

AWS Owned Key

Fully managed by AWS and shared across multiple accounts; twtech can’t see or control them.

Data Keys (DEKs)

Temporary keys generated under a CMK to encrypt actual data (used for Envelope Encryption).

Key Policies

Resource-based policies that define who can use or manage a key.

Grants

Provide temporary, fine-grained access to a KMS key (used by services like S3 and EBS).

Automatic Key Rotation

Customer-managed keys can be automatically rotated every 365 days.

 3. How AWS KMS Works (Encryption Workflow)

 Envelope Encryption Process

Instead of encrypting large data directly with a CMK (slow and costly), KMS uses Envelope Encryption:

1.     Application requests a data key from KMS.

2.     KMS returns:

o   Plaintext data key (used by the application to encrypt data locally).

o   Encrypted data key (EDK) (encrypted with the CMK).

3.     The plaintext key is used for encryption, then immediately discarded.

4.     The encrypted data key is stored alongside the encrypted data.

5.     To decrypt, the application sends the EDK to KMS to get back the plaintext data key (temporarily), which decrypts the data.

 This design ensures that:

  •         The CMK never leaves KMS.
  •         Only authorized entities can decrypt data.

 4. KMS Integration with AWS Services

KMS integrates with most AWS services for encryption at rest:

Service

Encryption Role

S3

SSE-KMS (Server-Side Encryption with KMS keys)

EBS

Volume-level encryption using KMS keys

RDS

Encrypts database storage and snapshots

DynamoDB

Table data encrypted at rest

Lambda

Environment variables encryption

Secrets Manager / SSM Parameter Store

Uses KMS for secret value encryption

CloudTrail

Log file encryption

SNS / SQS

Message encryption with KMS keys

 5. KMS Access Control

Access to KMS operations is controlled by three layers:

1.     Key Policies – Define who can manage and use a key.

2.     IAM Policies – Control access to KMS actions (kms:Encrypt, kms:Decrypt, etc.).

3.     Grants – Temporary permissions (used internally by AWS services).

# Example IAM Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "twtechAllowUseOfCMK",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:us-east-2:123456xxxxxx:key/twtech-KMS"
    }
  ]
}

 6. AWS KMS Architecture Diagram:


7. Key Security Considerations and Compliance

  •         FIPS 140-2 Level 3 HSMs protect KMS keys.
  •         Keys never leave KMS unencrypted.
  •         Supports AWS CloudTrail for key usage logging.
  •         Customer-managed CMKs can use Custom Key Stores (CloudHSM-backed).
  •         Fully compliant with:

o   PCI DSS (Payment Card Industry Data Security Standard)

o   HIPAA (Health Insurance Portability and Accountability Act)

o   FedRAMP (Federal Risk and Authorization Management Program)

o   SOC 1, 2, 3 (types of Audit Reports for Service Organization)

o   ISO 27001/27017/27018 (family of International Standards for Managing Information Security)

 8. AWS KMS Pricing

  •         $1 per CMK per month
  •         $0.03 per 10,000 API calls (for cryptographic operations)
  •         No cost for AWS-managed keys used transparently by AWS services.

 9. Advanced Features of KMS

  •         Multi-Region Keys: replicate CMKs securely across AWS Regions.
  •         Custom Key Store: integrate with AWS CloudHSM for direct control of key material.
  •         Import Key Material: bring your (twtech) own key material (BYOK).
  •         Cross-account Access: enable sharing keys securely between AWS accounts.
  •         Key Aliases: human-friendly identifiers for CMKs.

 10. KMS Key Lifecycle

Phase

Description

Create

Define CMK and policy.

Use

Encrypt/decrypt data or generate DEKs.

Rotate

Automatic (yearly) or manual rotation.

Disable

Temporarily suspend key usage.

Schedule Deletion

Permanently delete after 7–30 days (irreversible).


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...