Key Management Service (KMS)

Create and manage enscript keys

KMS makes it easy for you to create, control, and rotate encryption keys used to encrypt your data on AWS

KMS is a multi-tenant Hardware Security Module (HSM)

KMS can be used with CloudTrail to audit access history

Most AWS services can just

1. checkbox on encryption
2. and the choose a KMS Key

KMS can be used with CloudTrail to audit access history

What is Hardware Security Module (HSM)?

• Hardware that is specialize d for storing your encryption keys.
• Its designed to be tamper-proof
• In stores keys in-memory, so they are never written to disk.

Multi-tenant means that multiple customers are utilizing the same piece of hardware.

Customers are isolated from each other virtually. If one customer used the entire piece of Hardware (dedicated) that would be called single-tenant.

CloudHSM is a single-tenant HSM which gives you full control.

A dedicated HSM means you can meet stricter compliance FIPS 140-2 Level 3

KMS is FIPS 140-2 Level 2

KMS - Customer Master Key

What is encryption?

The process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.

What are cryptographic keys (data key)?

A string of data that is used to lock or unlock cryptographic functions, include authentication, authorization and encryption.

What is a Master Key?

Stored in secure hardware. Master keys are used to encrypt all other keys on a system.

KMS - Customer Master Key

Customer master keys are the primary resources in AWS KMS.

A customer master key (CMK) is a logical representation of a master key.

The CMK includes metadata, such as:

• the key ID
• creation date
• description
• and key state

The CMK also contains the key material used to:

• encrypt
• and decrypt data

AWS KMS supports symmetric and asymmetric CMKs.

KMS - AWS CLI

You can perform many KMS actions through the AWS CLI.

[KMS]