AWS Security & Encryption with Focus on KMS, Encryption SDK, SSM Parameter Store | Deep Dive.

twtech deep dive into AWS Security & Encryption,

Focus:

•        AWS KMS,
•        AWS Encryption SDK,
•        AWS Systems Manager Parameter Store (SSM Parameter Store).

These are the three foundational services that:

•        Secure data,
•        Secrets,
•        Keys in AWS environments.

 Overview

·       AWS provides a layered encryption and key management ecosystem that integrates across nearly all AWS services.

·       At the heart of layered encryption and key management ecosystem are:

Service	Purpose
AWS KMS (Key Management Service)	Centralized key creation, rotation, and management for encryption.
AWS Encryption SDK	Client-side encryption library for application-level data protection.
AWS SSM Parameter Store	Secure, encrypted storage for configuration values, secrets, and environment variables.

These services are often used together for data-at-rest encryption, data-in-transit security, and secure secret management.

 1. AWS KMS – Key Management Service

AWS KMS is a fully managed encryption and key management service that allows twtech to:

• Create, manage, and control cryptographic keys.
• Integrate encryption with 100+ AWS services.
• Enforce compliance and access controls centrally.

 Core Concepts

Concept	Description
CMK (Customer Managed Key)	A master key created, owned, and managed by twtech.
AWS Managed Key	A key automatically created and managed by AWS for its services.
Data Key	A temporary encryption key generated under a CMK, used for encrypting actual data.
Key Policy	IAM-style JSON policy defining who can use or manage the key.
Envelope Encryption	Encrypting data keys with CMKs to protect encryption keys themselves.

 How Encryption Works (Envelope Encryption)

1. Application or AWS service requests a data key from KMS.
2. KMS generates:
• Plaintext data key (used for local encryption)
• Encrypted data key (encrypted under the CMK)
3. Application encrypts data locally using the plaintext data key.
4. Plaintext key is discarded; only the encrypted key is stored with the data.
5. To decrypt, the app calls KMS again to decrypt the data key, then decrypts the data.

 Key Management Features

• Automatic key rotation (every 1 year, if enabled)
• Customer key import (bring your own key – BYOK)
• Cross-account key sharing
• Multi-Region KMS keys
• Auditability via CloudTrail

 KMS Integration Examples

Service	Use Case
S3	Encrypts objects with SSE-KMS.
EBS	Encrypts volumes with KMS-managed keys.
RDS	Encrypts databases at rest using CMK.
Lambda	Encrypts environment variables.
Secrets Manager	Encrypts stored secrets.
SSM Parameter Store	Encrypts SecureString parameters.

 2. The concept: AWS Encryption SDK

The AWS Encryption SDK is a client-side encryption library that developers can embed into applications to encrypt and decrypt data locally. — before it’s sent to AWS or stored anywhere.

AWS Encryption SDK uses envelope encryption just like KMS, but runs on twtech application layer (not service-managed).

 Key Features of AWS Encryption SDK

• Open-source and language-agnostic (supports Python, Java, C, JS, etc.)
• Integrates with KMS for master key management.
• Supports multi-master key encryption — encrypt data under multiple keys or key providers.
• Provides authenticated encryption (AES-GCM) ensuring both confidentiality and integrity.

 How AWS Encryption SDK Works

1. Application calls the Encryption SDK to encrypt data.
2. SDK:
• Requests a data key from KMS.
• Encrypts the plaintext using AES-256-GCM.
• Encrypts the data key under a CMK (Custom Managed Keys) .
3. Output contains:
• Ciphertext
• Encrypted data key metadata
• Encryption context (for integrity and context binding)
4. For decryption:
• SDK (software Development Kid) retrieves the encrypted data key.
• Calls KMS to decrypt it.
• Uses decrypted key to decrypt the ciphertext.

Use Cases  of AWS Encryption SDK 

• Encrypting sensitive data before writing to S3.
• Client-side encryption in hybrid architectures.
• Applications requiring local control over encryption lifecycle.
• Ensuring data is unreadable outside AWS infrastructure.

 3. AWS Systems Manager Parameter Store

SSM Parameter Store provides secure, hierarchical storage for configuration data and secrets.

twtech can store:

• Plaintext parameters (non-sensitive)
• Encrypted parameters (SecureString) using KMS CMKs

Key Features

Feature	Description
SecureString parameters	Encrypted at rest with AWS KMS.
Hierarchical structure	Store parameters in /app/env/config format.
Versioning	Tracks changes to parameters.
IAM permissions	Fine-grained access control for read/write actions.
Integration	Works with Lambda, EC2, ECS, CodePipeline, etc.

 How AWS Systems Manager Parameter Store Works

1. twtech stores a parameter:

# bash

 

aws ssm put-parameter \

  --name "/prod/db/password" \

  --value "twtechSecurePass!" \

  --type "SecureString" \

  --key-id "alias/twtechapp-keyid"

2. Parameter Store encrypts it with AWS KMS.
3. Applications (EC2, ECS, Lambda, etc.) retrieve it securely using IAM permissions.
4. When retrieved, Parameter Store calls KMS to decrypt the SecureString temporarily for use.

 Use Cases of  AWS Systems Manager Parameter Store

• Centralized configuration management.
• Storing credentials, API tokens, DB passwords.
• Integrating secure secrets into CI/CD pipelines.
• Application bootstrap via environment variables.

 Integration Example – End-to-End Flow

# Secure-app-flow.txt

App or Lambda Function

│

├── Retrieves secrets from SSM Parameter Store (SecureString)

│        └── Decrypted by AWS KMS under CMK

│

├── Uses AWS Encryption SDK to encrypt sensitive data locally

│        └── Encryption SDK calls KMS for a data key

│

└── Stores encrypted data in S3 or DynamoDB

         └── Optionally protected by SSE-KMS at rest

# Secure-app-flow.jpg

Security Best Practices

Category	Recommendation
Key Management	Use CMKs (Custom Managed Keys) per application or environment; enable rotation.
Access Control	Apply least privilege IAM policies for KMS and SSM access.
Encryption Context	Always use encryption context with KMS and SDK for integrity.
Secrets Handling	Never store plaintext secrets in code or config files.
Monitoring	Use CloudTrail and Config to audit KMS key usage and changes.
Multi-Region DR	Use multi-region KMS keys for cross-region encryption continuity.

Comparison Summary

Feature	AWS KMS	AWS Encryption SDK	SSM Parameter Store
Purpose	Central key management	Client-side encryption	Secret/config storage
Encryption Location	Server-side	Client-side	Server-side (KMS-backed)
Key Type	CMK / AWS-managed key	Data key + CMK(Custom Managed Keys)	CMK (Custom Managed Keys)
Integration	All AWS services	Apps / SDKs	AWS apps, CI/CD
Access Control	IAM + Key Policies	IAM via KMS integration	IAM policies
Use Case	Data encryption at rest	Application-level encryption	Secure secret management