What AWS Key Management Service is
This blog will help you understand what AWS Key Manangement Service(KMS) is and in what scenarios AWS KMS should be used.
AWS Key Management Service (AWS KMS) is an AWS managed service that help to protect your encryption keys. You can create and manage them using AWS KMS.
Hello
, the mapping table is as below:Key | Value |
---|---|
H | # |
e | 4 |
l | H |
o | ? |
#4HH?
. It's very diffcult for people to know the plaintext a long time ago if they don't know this mapping table. Nowadays, people can use brute force to obtain the plaintext. Cryptographers have invented some encryption algorithms to solve this problem. All these encryption algorithms consist of the plaintext, a key and a rule. Compaired with the example above, the key in the encryption algorithm is similar with the mapping table. That the reason why the key is very important. On the other hand, we can do the inverse operations to decrypt the ciphertext to obtain the plaintext.Type of CMK | Can veiw | Can manage | Used only for my AWS account | Automic rotation |
---|---|---|---|---|
Customer managed CMK | yes | yes | yes | Optional. Every 365 days. |
AWS managed CMK | yes | no | yes | Required. Every 1095 days. |
AWS owned CMK | no | no | no | Varies |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::157854716818:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::157854716818:user/xiongpin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:RotateKeyOnDemand"
],
"Resource": "*"
}
user/xiongpin
allows administrate the CMK. The following key policy shows there only the role of AWSServiceRoleForSupport
can use the CMK.1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::157854716818:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}