Tuesday, October 14, 2025

AWS KMS Keys Types & Classes | Overview.

AWS KMS Keys Types & Classes - Overview.

Scope

  • Intro,
  • KMS Key Management Classes (Ownership defines who creates, manages, & pays for the key),
  • KMS Key Cryptographic Types (underlying mathematical algorithms & how keys are used),
  • Special Key Configurations,
  • The concept of KMS Key (deep dive),
  • Components of KMS key,
  • KMS Key Types (three main categories based on ownership, management & Common Use Cases),
  • Key Material Types, Description & Sample (based on material origins),
  • Key Classes (Symmetric vs Asymmetric),
  • Customer Managed Keys (CMK) - Defining twtech Controls,
  •  Sample Use Case,
  • Multi-Region Keys (replicas of the same logical key across regions),
  • Key Lifecycle (Stages & Description),
  • Summary Diagram for KMS Key Types (simplified Flow view).
  • Choosing the Right Key (Requirement Recommended Type).

Intro:

  • AWS Key Management Service (AWS KMS) categorizes keys based on their management responsibility and their cryptographic configuration.
KMS Key Management Classes (Ownership defines who creates, manages, & pays for the key).
    • Customer managed keys: twtech creates and manage these keys. 
      • twtech has full control over their key policies, rotation, and deletion
      • Customer managed keys incur a monthly fee and are used for twtech specific applications.
    • AWS managed keys: Created and managed by AWS on twtech behalf when it uses an AWS service that integrates with KMS (e.g., Amazon S3 or Amazon RDS). 
      • twtech can view them and their usage in CloudTrail but cannot manage them directly.
    • AWS owned keys: These are not in twtech AWS account but are used by AWS services to protect data across multiple customers
      • twtecg cannot view, manage, or audit these keys.
KMS Key Cryptographic Types (underlying mathematical algorithms & how the key are used).
  • Symmetric encryption keys: The most common type. 
    • They use a single 256-bit AES-GCM key that never leaves AWS KMS unencrypted. 
    • They are used for encryption, decryption, and generating data keys for envelope encryption.
  • Asymmetric keys: These consist of a mathematically related public and private key pair.
    • twtech can download the public key to use outside AWS, but the private key never leaves the service. 
    • They are used for:
      • Encryption/Decryption: Using RSA algorithms.
      • Signing/Verification: Using RSA or Elliptic Curve (ECC) algorithms.
  • HMAC keys: Symmetric keys used specifically to generate, then verify Hash-based Message Authentication Codes (HMAC) for data integrity and authenticity.
Special Key Configurations

    • Multi-Region keys: Primary and replica keys that have the same key ID and material across different AWS Regions, allowing twtech to decrypt data in one region that was encrypted in another without re-encryption.
    • Imported key material: Allows twtech to import its own key material (Bring Your "twtech" Own Key - BYOK) into a KMS key instead of having AWS generate it.

 1. The concept of KMS Key (deep dive)

  • KMS key (formerly known as a Customer Master Key or CMK) is the primary resource in AWS KMS used to encrypt, decrypt, and manage cryptographic operations.

Components of KMS key:

    •  Metadata (key ID, ARN, creation date, etc.)
    •  Key material (the actual cryptographic bits)
    •  Key policies (access control)
    •  Usage permissions, rotation status, and aliases

 2. KMS Key Types (three main categories based on ownership, management & Common Use Cases ):

Type

Description

Who Manages It

Visibility

Common Use Case

AWS Owned Keys

Fully managed by AWS, used transparently for encryption within AWS services.

AWS

❌ Not visible

Default encryption for AWS services (no setup needed).

AWS Managed Keys

Created automatically per service when twtech enable encryption.

AWS

✅ Visible (prefixed with aws/)

S3, EBS, RDS, DynamoDB when “Encrypt with AWS-managed key” is selected.

Customer Managed Keys (CMKs)

Created, owned, and controlled by twtech.

twtech

✅ Visible

When you need custom control over key usage, policies, and auditing.

 3. Key Material Types, Description & Sample (based on material origins):

Origin

Description

Sample

AWS_KMS

Default. AWS KMS generates and stores key material in its HSMs.

Most standard keys

EXTERNAL

twtech imports its own key material (BYOK).

For compliance or external key control

CUSTOM_KEY_STORE

Key material stored and managed in AWS CloudHSM, but integrated with KMS APIs.

High assurance or regulatory use cases

AWS_XKS (External Key Store)

Key material remains in your on-premises or external HSM, but AWS KMS uses it via API calls.

Sovereign or highly regulated workloads

 4. Key Classes (Symmetric vs Asymmetric)

Class

Encryption Type

Supported Algorithms

Typical Use Cases

Symmetric Keys

Same key used for encrypt/decrypt

AES-256

Data encryption at rest, DEK generation

Asymmetric Keys

Public/private key pairs

RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_SECG_P256K1

Digital signatures, asymmetric encryption, certificate signing

 Symmetric Keys

    • Used by most AWS services.
    • Managed by KMS.
    • twtech cannot extract the key material.
    • Support: Encrypt, Decrypt, ReEncrypt, GenerateDataKey.

 Asymmetric Keys

    • Used for operations like:
      •     Sign / Verify
      •     Encrypt / Decrypt (public/private)
    • The public key can be downloaded.
    • Private key stays protected inside KMS HSM.

 5. Customer Managed Keys (CMK) - defining twtech Controls 

    • Define key policies (who can manage/use it).
    • Control key rotation (automatic yearly rotation or manual).
    • Enable multi-region replication.
    • Use grants for temporary, fine-grained access.
    • Log all key operations via AWS CloudTrail.

Sample Use Case (twtech create a CMK for):

    • Encrypting application data in S3.
    • Allowing Lambda functions to decrypt using that key.
    • Restricting access to specific IAM roles.

 6. Multi-Region Keys (replicas of the same logical key across regions).

Feature

Description

Same Key ID

Identical key material across regions.

Independent Management

twtech can disable/delete keys independently.

Use Case

Cross-region disaster recovery or global applications.

 7. Key Lifecycle (Stages & Description)

Stage

Description

Create Key

Define key policies, aliases, and usage.

Enable Key

Key becomes available for cryptographic operations.

Rotate Key

Automatically or manually generate new key material.

Disable Key

Suspends key use temporarily (no operations allowed).

Schedule Deletion

Permanently delete key after 7–30 days (irreversible).

 8. Summary Diagram for KMS Key Types (simplified Flow view):

 

 9. Choosing the Right Key (Requirement & Recommended Type)

Requirement

Recommended Key

Default, no management overhead

AWS Owned Key

Service-level encryption with minimal management

AWS Managed Key

Compliance, control, auditability

Customer Managed Key

Bring Your (twtech) Own Key (BYOK)

CMK with Imported Key Material

Regional failover

Multi-Region CMK

On-prem or external control

External Key Store (XKS)



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...