KMS in-depth overview

KMS is a fully managed service that makes it easy to create and control cryptographic keys within AWS, which can then be used to encrypt and decrypt data and sign and verify messages.

Types of keys

KMS offers different types of keys to cater to various security needs:

• Customer master keys (CMKs): These are the primary types of keys you interact with in KMS. CMKs can be either symmetric or asymmetric and are used to encrypt/decrypt up to 4 KB of data directly or to encrypt generated data keys. They are often used in scenarios requiring direct control over the key material, such as regulatory compliance.
• Data keys: These are symmetric keys that you can use to encrypt and decrypt data outside of KMS in your applications. They are generated by a CMK and can be either plain (unencrypted) or encrypted. Data keys are best suited for encrypting large volumes of data at the application layer.
• AWS managed keys: These are keys that are automatically created by AWS services on your behalf. They are designed to simplify the encryption process for AWS-managed services such as S3 and RDS. You can see AWS-managed keys in KMS, but you cannot manage them. They are often used in situations where the focus is more on ease of use rather than granular control.
• Custom key stores: For those who require more control over their cryptographic keys, KMS allows you to create CMKs using custom key stores backed by CloudHSM clusters or third-party key managers outside AWS.

Key life cycle

Understanding the life cycle of a KMS key is crucial for effective key management:

• Creation: When creating a CMK, you can choose to either generate a new key or import your key material (BYOK). You can also tailor your key configuration by selecting its type (symmetric or asymmetric) and encryption algorithm. Alongside these options, it is crucial to define the key’s administrative and usage permissions by defining a key policy. This involves specifying who can administer the key and what cryptographic operations can be performed with it.
• Rotation: Key rotation is not just a best practice; it is a must for robust cryptography. Failing to regularly rotate keys can expose your organization to various security risks, including the increased likelihood of successful brute-force attacks. KMS supports automatic key rotation for CMKs, where a new key material is generated every year. However, you also have the option to manually rotate keys. When a key is rotated, the key material changes, but the key ID remains the same. Previous versions of the key are retained to ensure that data encrypted with an older version can still be decrypted. This dual approach to key rotation – automatic and manual – provides organizations with the flexibility to align their key management practices with their specific security policies.
• Deletion: Deleting a key is a process that demands careful consideration. Before a CMK can be deleted, it must be scheduled for deletion, which initiates a waiting period, defaulting to 30 days. This waiting period serves as a safety net, preventing accidental deletion of crucial keys. Once the waiting period is over and the key is deleted, any data that’s encrypted becomes irretrievable, emphasizing the need for a well-thought-out key archival and deletion strategy.