AWS Security & Encryption (with KMS, Encryption SDK, SSM Parameter Store) | Overview.

AWS Security & Encryption (with KMS, Encryption SDK, SSM Parameter Store)  - Overview.

Scope:

• Intro,
• AWS Key Management Service (KMS),
• AWS Encryption SDK,
• SSM Parameter Store,
• The three foundational services of SSM Parameter Store,
• Services at the heart of layered encryption and key management ecosystem,
• AWS KMS (Key Management Service) deep dive,
• Core Concepts & Description Table,
• How Encryption (Envelope Encryption) Works,
• Key Management Features,
• KMS Integration Services & Use cases,
• The concept of AWS Encryption SDK (deep dive),
• Key Features of AWS Encryption SDK,
• How AWS Encryption SDK Works,
• Use Cases of AWS Encryption SDK,
• AWS Systems Manager Parameter Store (deep dive),
• Key Features & Description table for SSM Parameter Store,
• How AWS Systems Manager Parameter Store Works,
• Use Cases of  AWS Systems Manager Parameter Store,
• Integration of AWS Systems Manager Parameter Store & End-to-End Flow (secure app),
• Security Best Practices & Recommendations,
• Comparison Table for KMS, Encryption SDK & SSM Parameter Store.

Intro:

• AWS offers a suite of tools for data security, ranging from managed key storage to client-side encryption libraries and secure configuration management. 

AWS Key Management Service (KMS)

• AWS KMS is a managed service for creating and controlling cryptographic keys.
• AWS KMS  is not primarily a key generation and storage system, rather it also a bulk data encryption service.
• Key Types: Supports symmetric keys (single key for encryption/decryption) and asymmetric keys (public/private key pairs for signing and encryption).
• Service Integration: Seamlessly integrates with services like Amazon S3, RDS, and DynamoDB for server-side encryption.
• Payload Limit: The direct KMS Encrypt API is limited to 4 KB of data, necessitating envelope encryption for larger datasets.
• Security Features: Features FIPS 140-2 Level 3 certified hardware security modules (HSMs) and supports automatic annual key rotation. 

AWS Encryption SDK 

The AWS Encryption SDK is an open-source client-side library designed to simplify envelope encryption. 

• Envelope Encryption: It generates a unique data key for each message, encrypts the data with it, and then encrypts the data key using "wrapping keys" (like KMS keys).
• Portability: Encrypted messages include the encrypted data key in their header, allowing them to be decrypted anywhere the application has access to the wrapping key.
• Multi-Key Support: Can encrypt a single data key under multiple wrapping keys across different regions or providers to ensure high availability.
• Advanced Security: Includes built-in features like digital signatures for integrity and "key commitment" to ensure a ciphertext only decrypts to one specific plaintext. 

SSM Parameter Store 

A capability of AWS Systems Manager, Parameter Store provides secure, hierarchical storage for configuration data and secrets. 

• Data Types: Supports String, StringList, and SecureString.
• SecureString Encryption: These parameters are automatically encrypted using AWS KMS keys. 
• Users can use a default AWS-managed key or a customer-managed key (CMK).
• Tiers: The Standard tier is free for basic use, while the Advanced tier supports larger values (up to 8 KB) and parameter policies.
• Access Control: Uses standard IAM policies to control which users or roles can retrieve and decrypt specific parameters.

 The three foundational services of SSM Parameter Store:

•  Secure data,
•  Secrets,
•  Keys in AWS environments.

NB:

•      AWS provides a layered encryption and key management ecosystem that integrates across nearly all AWS services.

Services at the heart of layered encryption and key management ecosystem :

Service	Purpose
AWS KMS (Key Management Service)	Centralized key creation, rotation, and management for encryption.
AWS Encryption SDK	Client-side encryption library for application-level data protection.
AWS SSM Parameter Store	Secure, encrypted storage for configuration values, secrets, and environment variables.

NB:

• These services are often used together for data-at-rest encryption, data-in-transit security, and secure secret management.

1. AWS KMS (Key Management Service) deep dive

• AWS KMS is a fully managed encryption and key management service that allows twtech to:
• Create, manage, and control cryptographic keys.
• Integrate encryption with 100+ AWS services.
• Enforce compliance and access controls centrally.

 Core Concepts & Description Table

Concept	Description
CMK (Customer Managed Key)	A master key created, owned, and managed by twtech.
AWS Managed Key	A key automatically created and managed by AWS for its services.
Data Key	A temporary encryption key generated under a CMK, used for encrypting actual data.
Key Policy	IAM-style JSON policy defining who can use or manage the key.
Envelope Encryption	Encrypting data keys with CMKs to protect encryption keys themselves.

 How Encryption (Envelope Encryption) Works 

1. Application or AWS service requests a data key from KMS.
2. KMS generates:
• Plaintext data key (used for local encryption)
• Encrypted data key (encrypted under the CMK)
1. Application encrypts data locally using the plaintext data key.
2. Plaintext key is discarded; only the encrypted key is stored with the data.
3. To decrypt, the app calls KMS again to decrypt the data key, then decrypts the data.

 Key Management Features

• Automatic key rotation (every 1 year, if enabled)
• Customer key import (bring your own key – BYOK)
• Cross-account key sharing
• Multi-Region KMS keys
• Auditability via CloudTrail

 KMS Integration Services & Use cases

Service	Use Case
S3	Encrypts objects with SSE-KMS.
EBS	Encrypts volumes with KMS-managed keys.
RDS	Encrypts databases at rest using CMK.
Lambda	Encrypts environment variables.
Secrets Manager	Encrypts stored secrets.
SSM Parameter Store	Encrypts SecureString parameters.

 2. The concept of AWS Encryption SDK (deep dive)

• The AWS Encryption SDK is a client-side encryption library that developers can embed into applications to encrypt and decrypt data locally. — before it’s sent to AWS or stored anywhere.
• AWS Encryption SDK uses envelope encryption just like KMS, but runs on twtech application layer (not service-managed).

 Key Features of AWS Encryption SDK

• Open-source and language-agnostic (supports Python, Java, C, JS, etc.)
• Integrates with KMS for master key management.
• Supports multi-master key encryption — encrypt data under multiple keys or key providers.
• Provides authenticated encryption (AES-GCM) ensuring both confidentiality and integrity.

 How AWS Encryption SDK Works

1. Application calls the Encryption SDK to encrypt data.
2. SDK:
• Requests a data key from KMS.
• Encrypts the plaintext using AES-256-GCM.
• Encrypts the data key under a CMK (Custom Managed Keys) .
3. Output contains:
• Ciphertext
• Encrypted data key metadata
• Encryption context (for integrity and context binding)
4. For decryption:
• SDK (software Development Kid) retrieves the encrypted data key.
• Calls KMS to decrypt it.
• Uses decrypted key to decrypt the ciphertext.

Use Cases of AWS Encryption SDK 

• Encrypting sensitive data before writing to S3.
• Client-side encryption in hybrid architectures.
• Applications requiring local control over encryption lifecycle.
• Ensuring data is unreadable outside AWS infrastructure.

 3. AWS Systems Manager Parameter Store (deep dive)

• SSM Parameter Store provides secure, hierarchical storage for configuration data and secrets.

twtech can store:

• Plaintext parameters (non-sensitive)
• Encrypted parameters (SecureString) using KMS CMKs

Key Features & Description table for SSM Parameter Store

Feature	Description
SecureString parameters	Encrypted at rest with AWS KMS.
Hierarchical structure	Store parameters in /app/env/config format.
Versioning	Tracks changes to parameters.
IAM permissions	Fine-grained access control for read/write actions.
Integration	Works with Lambda, EC2, ECS, CodePipeline, etc.

 How AWS Systems Manager Parameter Store Works

1. twtech stores a parameter:

# bash

 

aws ssm put-parameter \

  --name "/prod/db/password" \

  --value "twtechSecurePass!" \

  --type "SecureString" \

  --key-id "alias/twtechapp-keyid"

2. Parameter Store encrypts it with AWS KMS.
3. Applications (EC2, ECS, Lambda, etc.) retrieve it securely using IAM permissions.
4. When retrieved, Parameter Store calls KMS to decrypt the SecureString temporarily for use.

 Use Cases of  AWS Systems Manager Parameter Store

• Centralized configuration management.
• Storing credentials, API tokens, DB passwords.
• Integrating secure secrets into CI/CD pipelines.
• Application bootstrap via environment variables.

 Integration of AWS Systems Manager Parameter Store & End-to-End Flow (secure app)

Security Best Practices & Recommendations

Category	Recommendation
Key Management	Use CMKs (Custom Managed Keys) per application or environment; enable rotation.
Access Control	Apply least privilege IAM policies for KMS and SSM access.
Encryption Context	Always use encryption context with KMS and SDK for integrity.
Secrets Handling	Never store plaintext secrets in code or config files.
Monitoring	Use CloudTrail and Config to audit KMS key usage and changes.
Multi-Region DR	Use multi-region KMS keys for cross-region encryption continuity.

Comparison Table for KMS, Encryption SDK & SSM Parameter Store

Feature	AWS KMS	AWS Encryption SDK	SSM Parameter Store
Purpose	Central key management	Client-side encryption	Secret/config storage
Encryption Location	Server-side	Client-side	Server-side (KMS-backed)
Key Type	CMK / AWS-managed key	Data key + CMK(Custom Managed Keys)	CMK (Custom Managed Keys)
Integration	All AWS services	Apps / SDKs	AWS apps, CI/CD
Access Control	IAM + Key Policies	IAM via KMS integration	IAM policies
Use Case	Data encryption at rest	Application-level encryption	Secure secret management