Tuesday, October 14, 2025

AWS KMS Keys Types & Classes | Deep Dive.


twtech deep dive into AWS KMS Key Types & Classes

Focus:

  •         The concept:  KMS Key,
  •         KMS Key Types Overview,
  •         Key Material Types,
  •         Key Classes (Symmetric vs Asymmetric),
  •         Customer Managed Keys (CMK) – Deep Control,
  •          Multi-Region Keys,
  •         Key Lifecycle,
  •         Summary Diagram — KMS Key Types,
  •         Choosing the Right Key Type

 1. The concept:  KMS Key

KMS key (formerly known as a Customer Master Key or CMK) is the primary resource in AWS KMS used to encrypt, decrypt, and manage cryptographic operations.

Each KMS key includes:

  •         Metadata (key ID, ARN, creation date, etc.)
  •         Key material (the actual cryptographic bits)
  •         Key policies (access control)
  •         Usage permissions, rotation status, and aliases

 2. KMS Key Types Overview

AWS KMS defines three main categories of keys based on ownership and management:

Type

Description

Who Manages It

Visibility

Common Use Case

AWS Owned Keys

Fully managed by AWS, used transparently for encryption within AWS services.

AWS

❌ Not visible

Default encryption for AWS services (no setup needed).

AWS Managed Keys

Created automatically per service when you enable encryption.

AWS

✅ Visible (prefixed with aws/)

S3, EBS, RDS, DynamoDB when “Encrypt with AWS-managed key” is selected.

Customer Managed Keys (CMKs)

Created, owned, and controlled by you.

twtech

✅ Visible

When you need custom control over key usage, policies, and auditing.

 3. Key Material Types

A KMS key can have different key material origins:

Origin

Description

Example

AWS_KMS

Default. AWS KMS generates and stores key material in its HSMs.

Most standard keys

EXTERNAL

twtech imports its own key material (BYOK).

For compliance or external key control

CUSTOM_KEY_STORE

Key material stored and managed in AWS CloudHSM, but integrated with KMS APIs.

High assurance or regulatory use cases

AWS_XKS (External Key Store)

Key material remains in your on-premises or external HSM, but AWS KMS uses it via API calls.

Sovereign or highly regulated workloads

 4. Key Classes (Symmetric vs Asymmetric)

Class

Encryption Type

Supported Algorithms

Typical Use Cases

Symmetric Keys

Same key used for encrypt/decrypt

AES-256

Data encryption at rest, DEK generation

Asymmetric Keys

Public/private key pairs

RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_SECG_P256K1

Digital signatures, asymmetric encryption, certificate signing

 Symmetric Keys

  •         Used by most AWS services.
  •         Managed by KMS.
  •         twtech cannot extract the key material.
  •         Support: Encrypt, Decrypt, ReEncrypt, GenerateDataKey.

 Asymmetric Keys

  •         Used for operations like:
    •     Sign / Verify
    •     Encrypt / Decrypt (public/private)
  •         The public key can be downloaded.
  •         Private key stays protected inside KMS HSM.

 5. Customer Managed Keys (CMK) – Deep Control

When twtech creates its own key (CMK), it can:

  •         Define key policies (who can manage/use it).
  •         Control key rotation (automatic yearly rotation or manual).
  •         Enable multi-region replication.
  •         Use grants for temporary, fine-grained access.
  •         Log all key operations via AWS CloudTrail.

 Example Use Case:

twtech create a CMK for:

  •         Encrypting application data in S3.
  •         Allowing Lambda functions to decrypt using that key.
  •         Restricting access to specific IAM roles.

 6. Multi-Region Keys

AWS KMS supports multi-region keys, which are replicas of the same logical key across regions.

Feature

Description

Same Key ID

Identical key material across regions.

Independent Management

twtech can disable/delete keys independently.

Use Case

Cross-region disaster recovery or global applications.

 7. Key Lifecycle

Stage

Description

Create Key

Define key policies, aliases, and usage.

Enable Key

Key becomes available for cryptographic operations.

Rotate Key

Automatically or manually generate new key material.

Disable Key

Suspends key use temporarily (no operations allowed).

Schedule Deletion

Permanently delete key after 7–30 days (irreversible).

 8. Summary Diagram — KMS Key Types

# Flow (simplified view):

 

 9. Choosing the Right Key Type

Requirement

Recommended Key

Default, no management overhead

AWS Owned Key

Service-level encryption with minimal management

AWS Managed Key

Compliance, control, auditability

Customer Managed Key

Bring Your (twtech) Own Key (BYOK)

CMK with Imported Key Material

Regional failover

Multi-Region CMK

On-prem or external control

External Key Store (XKS)


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...