KMS

Introduction

  • A regional service for at rest encryption

  • Can be used with API call to encrypt / decrypt data

Feature

  • Seamlessly integrated into:

    • EBS volumes

    • S3 objects

    • Redshift data

    • RDS data

    • SSM Parameter stores

    • Etc...

  • Types:

    • Customer managed CMK:

      • Managed by our own.

      • Possibility of rotation

      • Can add Key Policy

      • Can leverage for Envelop Encryption

    • AWS managed CMK:

      • Managed by AWS, we don't have access.

      • Used by AWS Service (S3, EBS, Redshift, etc.)

  • Can only support encryption up to 4 KB of data per call. If data > 4 KB, use Envelop Encryption.

  • API calls are tracked in CloudTrail

Usage

  • Dynamically and programmatically to grant the ability to use the key then revoking after the need is over. (more efficient than manipulating IAM)

  • To grant access to KMS to someone:

    • Make sure permission in Key Policy

    • Make sure permission in IAM Policy

PreviousSTSNextManagement Tools

Last updated