What AWS Key Management Service is
This blog will help you understand what AWS Key Manangement Service(KMS) is and in what scenarios AWS KMS should be used.
Published Jan 1, 2025
AWS Key Management Service (AWS KMS) is an AWS managed service that help to protect your encryption keys. You can create and manage them using AWS KMS.
Before introducing what AWS KMS is, we should know a little bit cryptography technology.
Generally speaking, cryptography technology can help people protect thier sensitive data. If we want to reach this goal, we have to use encryption algorithms to change the sensitive data from the plaintext to ciphertext and use decryption algorithms to convert the ciphertext to plaintext.
Encryption is the process that converts sensitive data into an alternative form that hides the true meaning of that information. Encryption has been there a long time before computers to facilitate secret communication. Traditionally, we encrypt the plaintext using a mapping table to change the plaintext to ciphertext.
For example, the plaintext is
Hello
, the mapping table is as below:Key | Value |
---|---|
H | # |
e | 4 |
l | H |
o | ? |
The encrypted content(ciphertext) is
#4HH?
. It's very diffcult for people to know the plaintext a long time ago if they don't know this mapping table. Nowadays, people can use brute force to obtain the plaintext. Cryptographers have invented some encryption algorithms to solve this problem. All these encryption algorithms consist of the plaintext, a key and a rule. Compaired with the example above, the key in the encryption algorithm is similar with the mapping table. That the reason why the key is very important. On the other hand, we can do the inverse operations to decrypt the ciphertext to obtain the plaintext.There are two types of encryption algorithms, symmetric encryption algorithm and asymmetric encryption algorithm respectively. The difference between them is the key. For symmetric encryption algorithm, the key can be used to encrypt the plaintext and decrypt the ciphertext. However, the asymmetric encryption algorithm have different keys. The public key is to encrypt the plaintext, and the private key is to decrypt the ciphertext.
As we know, the key is really very important to protect our sensitive data. The purpose of AWS KMS is to protect thoes keys.
All encryption keys are call Customer Master Key (CMK) which is stored in KMS using Hardware Security Moduel(HSM). KMS can promise that the keys cannot leave the HSM to encrypt or decrypt the data. AWS CloudTrail can track the usage logs of the keys for audit and compliance needs.
There are three types of CMKs in AWS KMS below:
Type of CMK | Can veiw | Can manage | Used only for my AWS account | Automic rotation |
---|---|---|---|---|
Customer managed CMK | yes | yes | yes | Optional. Every 365 days. |
AWS managed CMK | yes | no | yes | Required. Every 1095 days. |
AWS owned CMK | no | no | no | Varies |
AWS owned CMK is the fundamental facility, which is the root key of all keys. AWS managed CMKs are derived by the AWS owned CMK, which is used for AWS services.
This graph shows all AWS managed CMKs in my AWS account. If you use more AWS services, you can see more.
In terms of customer manage CMKs, we can create and mange them. AWS provides two features for CMKs. The one is key policies, the other is key rotation.
The purpose of this feature is to define who can use the keys and who can administrate the keys. Once created, these policies cannot be modified, only deleted.
The above key policy shows the root user of this account allows full access to the CMK, and
user/xiongpin
allows administrate the CMK. The following key policy shows there only the role of AWSServiceRoleForSupport
can use the CMK.In summary, KMS use key policies to define different kinds of permissions.
Cryptographic best practices discourage extensive use of encryption keys. Because of that, AWS allows rotating the CMK. You can enable automic key rotation.
This graph shows how AWS KMS rotate the key below.
AWS KMS saves references to the old backing keys when renewing. In this way, AWS KMS can decrypt the data or data keys that were generated by the older versions fo backing keys.