AWS Key Management Service (KMS) Overview

• Definition: A managed service for easily creating and controlling encryption keys used to encrypt your data.
• Purpose: Provides highly available key storage, management, and auditing.
• Used to encrypt data within your own applications and control encryption of data across AWS services.
• Allows centrally managing and securely storing your keys, known as AWS KMS keys (formerly Customer Master Keys - CMKs).

AWS KMS Keys (CMKs)

• Primary resources in AWS KMS.
• Include metadata (ID, creation date, description, key state) and the key material.
• Supports symmetric and asymmetric KMS keys.
• Symmetric KMS keys and private keys of asymmetric KMS keys never leave KMS unencrypted.
• By default, AWS KMS creates the key material.
• A KMS key can encrypt data up to 4KB in size.
• Can generate, encrypt, and decrypt Data Encryption Keys (DEKs).
• A KMS key can never be exported from KMS (CloudHSM allows this).

Customer Managed KMS Keys

• KMS keys in your AWS account that you create, own, and manage.
• Full control: Establish/maintain key policies, IAM policies, grants; enable/disable, rotate cryptographic material, add tags, create aliases, schedule for deletion.
• Cost: Incur a monthly fee and a fee for usage beyond the free tier.

AWS Managed KMS Keys

• KMS keys in your account created, managed, and used on your behalf by an AWS service (e.g., S3, EBS, RDS).
• You cannot manage, rotate, or change their key policies.
• Cannot use directly in cryptographic operations; the service uses them on your behalf.
• Cost: No monthly fee; may have usage fees (some AWS services cover these).
• Created on the first time you implement encryption using that service.
• Can only be used by the service that created them within a particular region.

AWS Owned KMS Keys

• Collection of KMS keys that an AWS service owns and manages for use in multiple AWS accounts.
• Not in your AWS account. AWS service uses them to protect your resources.
• You do not create, manage, view, use, track, or audit them.
• Cost: No monthly fee or usage fee; do not count against KMS quotas.

Data Encryption Keys (DEKs)

• Encryption keys used to encrypt data, including large amounts of data.
• AWS KMS keys are used to generate, encrypt, and decrypt DEKs.
• AWS KMS does not store, manage, or track your DEKs.
• You must use and manage DEKs outside of AWS KMS.
• The GenerateDataKey API is used to create a DEK using a KMS key.

KMS Core Details

• Set usage policies on keys (determine users, conditions for encryption/decryption).
• Key Material Options: KMS generated, or import your own.
• Master keys are protected by Hardware Security Modules (HSMs) and used only within them.
• KMS is for encryption at rest only (use SSL/TLS for in-transit encryption).
• Tightly integrated into many AWS services (Lambda, S3, EBS, EFS, DynamoDB, SQS, etc.).
• AWS services encrypt your data and store an encrypted copy of the DEK along with the data.
• When a service needs to decrypt data, it requests KMS to decrypt the DEK using your master key.
• If authorized, KMS returns the decrypted DEK, which the service uses to decrypt your data.
• All requests to use your master keys are logged in AWS CloudTrail for auditing.
• Control who manages/accesses keys via IAM users/roles.
• Differs from Secrets Manager as KMS is purpose-built for encryption key management.
• Validated by compliance schemes (e.g., PCI DSS Level 1, FIPS 140-2 Level 2).

Key Management with KMS Functions

• Create keys with alias/description.
• Import your own key material.
• Define IAM users/roles for key management and usage (encrypt/decrypt).
• Choose automatic annual key rotation (for symmetric customer-managed keys).
• Temporarily disable/re-enable keys.
• Schedule keys for deletion.
• Audit key use via CloudTrail logs.
• Create, connect, disconnect, delete custom key stores (requires CloudHSM).

Data Encryption Scenarios

• Direct KMS API calls: Encrypt/decrypt data directly using master keys in KMS (for small data <= 4KB).
• AWS Service Integration: AWS services encrypt your data using DEKs protected by your KMS master keys.
• AWS Encryption SDK: Perform encryption within your own applications (in AWS or not), integrated with KMS.

Custom Key Store

• Combines AWS CloudHSM controls with KMS ease of use.
• Configure your own CloudHSM cluster and authorize KMS to use it as a dedicated key store.
• Keys created in a custom key store generate key material in your CloudHSM cluster and never leave the HSMs in plaintext.
• All KMS operations using these keys are performed only in your HSMs.

Key Deletion

• Can schedule customer-managed KMS keys for deletion.
• Configurable waiting period: 7 to 30 days (default is 30 days).
• Waiting period allows verifying impact on applications.
• Can cancel key deletion during the waiting period.

AWS KMS APIs (Developer Focus)

• Encrypt: Encrypts plaintext (up to 4KB) using a KMS key. Can move encrypted data between regions.
• Decrypt: Decrypts ciphertext encrypted by various KMS operations.
• ReEncrypt: Decrypts and then re-encrypts ciphertext entirely within KMS.
  • Used to change the KMS key protecting data (manual rotation).
  • Used to change encryption context under the same KMS key.
• EnableKeyRotation: Enables automatic annual rotation for symmetric customer-managed KMS keys.
• GenerateDataKey: Generates a unique symmetric data key (plaintext and encrypted copy).
• GenerateDataKeyWithoutPlaintext: Generates a unique symmetric data key (only returns encrypted copy).
• GenerateDataKeyPair / GenerateDataKeyPairWithoutPlaintext: For asymmetric data key pairs.

KMS Envelope Encryption

• Method used by KMS-integrated AWS services and client-side toolkits.
• KMS generates a data key (DEK) to encrypt the actual data.
• The DEK itself is then encrypted using your KMS key (CMK).
• This "envelope" (encrypted DEK + encrypted data) is stored.
• To decrypt data, the encrypted DEK is first sent to KMS to be decrypted by the CMK, then the plaintext DEK is used to decrypt the data.

KMS Limits

• Up to 1000 KMS keys per account per region (enabled and disabled count). AWS recommends deleting unused disabled keys.
• AWS managed master keys (created by services) do not count against this limit.
• No limit on the number of data keys derived using a master key.

Important Exam Tips

• Regional Service: KMS keys are regional. (Exam Tip!)
• Symmetric vs. Asymmetric: Understand the difference and typical use cases (symmetric for data encryption, asymmetric for digital signatures/key exchange).
• KMS Key vs. Data Key: Critical distinction. KMS keys protect data keys; data keys encrypt the actual data. KMS does not store data keys.
• Rotation: Only customer-managed symmetric KMS keys can have automatic annual rotation. Custom Lambda functions for other types.
• KMS vs. CloudHSM: KMS uses HSMs, but you don't manage them directly. CloudHSM gives you dedicated, single-tenant HSMs that you manage, allowing key export. Custom Key Store bridges this.
• KMS vs. Secrets Manager: KMS manages encryption keys. Secrets Manager manages secrets (credentials, API keys) and offers rotation for them. Secrets Manager uses KMS for encryption.
• Encryption Context: Important for auditing and policy enforcement. Additional authenticated data (AAD) that provides context to the encryption operation.
• Key Policy vs. IAM Policy: Both control access. Key policies define who can use the key; IAM policies define what actions a principal can take on KMS resources. They work together.
• CloudTrail: All KMS API calls are logged in CloudTrail for auditing.
• Data Size Limit: KMS can directly encrypt only up to 4KB. For larger data, use envelope encryption with DEKs.