Skip to content
AWS Key Management Service – KMS
- AWS KMS is a managed encryption service that enables encryption of data easily
- KMS provides a highly available key storage, management, and auditing solution to encrypt the data across AWS services & within applications
- KMS is seamlessly integrated with several other AWS services to make encrypting data in those service easy
- KMS Keys are only stored and used in the region in which they are created. They cannot be transferred to another region
- KMS enforces usage and management policies, to control which IAM user, role from your account or other accounts who can manage and use keys
- KMS is integrated with CloudTrail, so all requests to use the keys are logged to understand who used which key when
- KMS allows rotation of the keys,
- if keys generated by KMS rotated automatically by KMS, data does not need to be re-encrypted. KMS keeps previous versions of keys to use for decryption of data encrypted under an old version of a key. All new encryption requests against a key in AWS KMS are encrypted under the newest version of the key.
- if manually rotated, data has to be re-encrypted depending on the application’s configuration
- Automatic key rotation is not supported for imported keys
- KMS centrally manages and securely stores the keys
- Keys can be generated or imported from your key management infrastructure
- Keys can be used from within the applications and supported AWS services to protect the data, but the key never leaves KMS AWS.
- Data is submitted to AWS KMS to be encrypted, or decrypted, under keys that you control.
- Usage policies on these keys can be set that determine which users can use them to encrypt and decrypt data.
- AWS cloud services integrated with AWS KMS use a method called envelope encryption to protect the data.
- Envelope encryption is an optimized method for encrypting data that uses two different keys
- With Envelop encryption
- A data key is generated and used by the AWS service to encrypt each piece of data or resource.
- Data key is encrypted under a master key that you define in AWS KMS.
- Encrypted data key is then stored by the AWS service.
- For data decryption by the AWS service, the encrypted data key is passed to AWS KMS and decrypted under the master key that was originally encrypted under so the service can then decrypt your data.
- KMS does support sending data less than 4 KB to be encrypted, envelope encryption can offer significant performance benefits
- When the data is encrypted directly with KMS it must be transferred over the network.
- Envelope encryption reduces the network load for the application or AWS cloud service as Only the request and fulfillment of the data key through KMS must go over the network
- Create keys with a unique alias and description
- Import your own keys
- Control which IAM users and roles can manage keys
- Control which IAM users and roles can use keys to encrypt & decrypt data
- Choose to have AWS KMS automatically rotate keys on an annual basis
- Temporarily disable keys so they cannot be used by anyone
- Re-enable disabled keys
- Delete keys that you no longer use
- Audit use of keys by inspecting logs in AWS CloudTrail
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- You are designing a personal document-archiving solution for your global enterprise with thousands of employee. Each employee has potentially gigabytes of data to be backed up in this archiving solution. The solution will be exposed to he employees as an application, where they can just drag and drop their files to the archiving system. Employees can retrieve their archives through a web interface. The corporate network has high bandwidth AWS DirectConnect connectivity to AWS. You have regulatory requirements that all data needs to be encrypted before being uploaded to the cloud. How do you implement this in a highly available and cost efficient way?
- Manage encryption keys on-premise in an encrypted relational database. Set up an on-premises server with sufficient storage to temporarily store files and then upload them to Amazon S3, providing a client-side master key. (Storing temporary increases cost and not a high availability option)
- Manage encryption keys in a Hardware Security Module (HSM) appliance on-premise server with sufficient storage to temporarily store, encrypt, and upload files directly into amazon Glacier. (Not cost effective)
- Manage encryption keys in amazon Key Management Service (KMS), upload to amazon simple storage service (s3) with client-side encryption using a KMS customer master key ID and configure Amazon S3 lifecycle policies to store each object using the amazon glacier storage tier. (With CSE-KMS the encryption happens at client side before the object is upload to S3 and KMS is cost effective as well)
- Manage encryption keys in an AWS CloudHSM appliance. Encrypt files prior to uploading on the employee desktop and then upload directly into amazon glacier (Not cost effective)
- An AWS customer is deploying an application that is composed of an Auto Scaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instance-id. In addition an x 509 certificates must be designed by the customer’s Key management service in order to be trusted for authentication.
Which of the following configurations will support these requirements?
- Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
- Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
- Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
- Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature that contains the specific instance-id.