Tuesday, October 14, 2025

AWS Key Management Service (KMS) | Overview.


AWS Key Management Service (KMS) - Overview.

Scope:

  • Intro,
  • Core Key Types,
  • Key Features,
  • Security Access Control,
  • AWS KMS (deep dive),
  • Core Concepts & Description,
  • How AWS KMS Works (Envelope Encryption Workflow),
  • KMS Integration with AWS Services (encryption at rest) & Encryption Role,
  • KMS Access Control by three layers,
  • Sample IAM Policy (AllowUseOfCMK),
  • AWS KMS Architecture Diagram,
  • Key Security Considerations and Compliance,
  • AWS KMS Pricing,
  • Advanced Features of KMS,
  • KMS Key Lifecycle (Phases & Descriptions).

Intro:

    • AWS Key Management Service (KMS) is a fully managed service that allows twtech to create and control the cryptographic keys used to protect its data
    • KMS is integrated with most Amazon Web Services and provides a centralized way to manage encryption across twtech cloud environment.
Core Key Types
    • Customer managed keys: Keys twtech creates, owns, and manage.
      •  twtech has full control over their key policies, rotation, and lifecycle.
    • AWS managed keys: Created and managed by AWS on twtech behalf. 
      • AWS managed keys are used by AWS services that integrate with KMS to protect your resources.
    • AWS owned keys: Keys that AWS services own and manage for use in multiple AWS accounts
      • twtech cannot view or manage AWS owned keys.
Key Features
    • FIPS 140-3 Validation: KMS uses Hardware Security Modules (HSMs) validated under FIPS 140-3 (replacing FIPS 140-2) to ensure the security of twtech keys.
    • Envelope Encryption: A practice where a data key is used to encrypt data, and that data key is itself encrypted by a KMS key. 
      • This method balances security with performance.
    • Automatic Key Rotation: twtech can enable automatic rotation for customer managed keys, which occurs every 365 days by default.
    • Multi-Region Keys: Allows twtech to replicate keys across different AWS Regions, which is useful for disaster recovery and global applications.
    • Auditability: Every use of a key is logged in AWS CloudTrail, providing a detailed audit trail of who used which key and when.
Security & Access Control
    • Access is managed through key policies, which are JSON documents that define who can use and manage the key. 
    • twtech can further refine access using IAM policies and grants.

1. AWS KMS (deep dive)

AWS Key Management Service (KMS) is a fully managed encryption and key management service that allows twtech to:

    •  Create, store, and manage cryptographic keys.
    •  Control how keys are used across AWS services and twtech own applications.
    •  Integrate encryption seamlessly with AWS services (like S3, EBS, RDS, DynamoDB, Lambda, and more).

2. Core Concepts & Description

Concept

Description

CMK / KMS Key

A logical representation of a master key. It includes metadata, key ID, policy, and key material.

Key Material

The actual cryptographic material used for encryption/decryption.

Customer Managed Key (CMK)

Created and managed by twtech. twtech defines key policies, IAM permissions, rotation, etc.

AWS Managed Key

Automatically created and managed by AWS for each service (e.g., aws/s3, aws/ebs).

AWS Owned Key

Fully managed by AWS and shared across multiple accounts; twtech can’t see or control them.

Data Keys (DEKs)

Temporary keys generated under a CMK to encrypt actual data (used for Envelope Encryption).

Key Policies

Resource-based policies that define who can use or manage a key.

Grants

Provide temporary, fine-grained access to a KMS key (used by services like S3 and EBS).

Automatic Key Rotation

Customer-managed keys can be automatically rotated every 365 days.

 3. How AWS KMS Works (Envelope Encryption Workflow)

Instead of encrypting large data directly with a CMK (slow and costly), KMS uses Envelope Encryption:

1.     Application requests a data key from KMS.

2.     KMS returns:

o   Plaintext data key (used by the application to encrypt data locally).

o   Encrypted data key (EDK) ... encrypted with the CMK.

3.     The plaintext key is used for encryption, then immediately discarded.

4.     The encrypted data key is stored alongside the encrypted data.

5.     To decrypt, the application sends the EDK to KMS to get back the plaintext data key (temporarily), which decrypts the data.

 This design ensures that:

    •  The CMK never leaves KMS.
    •  Only authorized entities can decrypt data.

 4. KMS Integration with AWS Services (encryption at rest)Encryption Role

Service

Encryption Role

S3

SSE-KMS (Server-Side Encryption with KMS keys)

EBS

Volume-level encryption using KMS keys

RDS

Encrypts database storage and snapshots

DynamoDB

Table data encrypted at rest

Lambda

Environment variables encryption

Secrets Manager / SSM Parameter Store

Uses KMS for secret value encryption

CloudTrail

Log file encryption

SNS / SQS

Message encryption with KMS keys

 5. KMS Access Control by three layers:

     1. Key Policies – Define who can manage and use a key.
2. IAM Policies – Control access to KMS actions (kms:Encrypt, kms:Decrypt, etc.).
3. Grants – Temporary permissions (used internally by AWS services).

# Sample IAM Policy (AllowUseOfCMK)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "twtechAllowUseOfCMK",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:us-east-2:accountID:key/twtech-KMS"
    }
  ]
}

 6. AWS KMS Architecture Diagram



7. Key Security Considerations and Compliance

    • FIPS 140-2 Level 3 HSMs protect KMS keys.
    • Keys never leave KMS unencrypted.
    • Supports AWS CloudTrail for key usage logging.
    • Customer-managed CMKs can use Custom Key Stores (CloudHSM-backed).
    • Fully compliant with:
      • PCI DSS (Payment Card Industry Data Security Standard)
      • HIPAA (Health Insurance Portability and Accountability Act)
      • FedRAMP (Federal Risk and Authorization Management Program)
      • SOC 1, 2, 3 (types of Audit Reports for Service Organization)
      • ISO 27001/27017/27018 (family of International Standards for Managing Information Security)

 8. AWS KMS Pricing

    •  $1 per CMK per month
    •  $0.03 per 10,000 API calls (for cryptographic operations)
    •  No cost for AWS-managed keys used transparently by AWS services.

 9. Advanced Features of KMS

    •  Multi-Region Keys: replicate CMKs securely across AWS Regions.
    •  Custom Key Store: integrate with AWS CloudHSM for direct control of key material.
    •  Import Key Material: bring your (twtech) own key material (BYOK).
    •  Cross-account Access: enable sharing keys securely between AWS accounts.
    •  Key Aliases: human-friendly identifiers for CMKs.

 10. KMS Key Lifecycle (Phases & Descriptions)

Phase

Description

Create

Define CMK and policy.

Use

Encrypt/decrypt data or generate DEKs.

Rotate

Automatic (yearly) or manual rotation.

Disable

Temporarily suspend key usage.

Schedule Deletion

Permanently delete after 7–30 days (irreversible).



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...