AWS Key Management Service (KMS) is a fully managed service that provides a scalable and secure way to create and manage cryptographic keys, allowing for encryption and decryption of data. (Source: 3, 6) It reduces operational overhead by handling key rotation and audit logging, and integrates with most AWS services. (Source: 3) KMS is fundamental for protecting data at rest across a wide range of AWS services, adhering to security and compliance requirements. (Source: 2, 9)
AWS KMS is the foundation for encryption in AWS, designed to simplify key management and enhance data security.
KMS serves as the central service for managing the lifecycle of encryption keys across AWS. It is a core component of secure application architectures.
KMS is a fully managed, highly available, and durable service, which handles the operational overhead of key management. This includes automatic key rotation and audit logging via AWS CloudTrail, significantly reducing the administrative burden on developers.
Developers can interact with KMS using its APIs for encryption and decryption operations without needing to manage the underlying key infrastructure directly.
KMS is used for data at rest encryption across various AWS services, helping protect sensitive information and meet compliance requirements.
KMS utilizes Customer Master Keys (CMKs) for encryption operations, offering different management options.
These keys are managed by AWS, providing a simpler approach where AWS handles the key's lifecycle.
These keys are created and managed by the customer, offering more control over their lifecycle and access policies.
KMS allows the creation of customer-managed keys for encryption operations. For instance, an EC2 instance role can be granted permission to use such a key for encryption.
KMS integrates with a wide range of AWS services to provide encryption at rest, ensuring data protection and compliance.
Amazon S3 (Simple Storage Service)
KMS is crucial for server-side encryption of S3 objects, offering enhanced control and auditing. It integrates with S3 for automatic key rotation annually and provides key usage logging in AWS CloudTrail.
integration_method:
Server-Side Encryption with AWS KMS keys (SSE-KMS) and Dual-Layer Server-Side Encryption with KMS (DSSE-KMS)
key_rotation:
Automatic annual key rotation supported by KMS
auditing:
Key usage logging in AWS CloudTrail
Use Cases:
- Encrypting confidential data at rest in S3
- Auditing key usage
Amazon EBS (Elastic Block Store)
EBS volumes leverage KMS for encryption at rest and in transit between EC2 instances and EBS volumes. Encryption must be enabled at the time of volume creation or by encrypting a snapshot and restoring from it. Snapshots created from encrypted volumes are also encrypted.
encryption_standard:
AES-256
key_management:
AWS Key Management Service (KMS)
performance_impact:
None
cost_impact:
None
immutability:
Cannot be enabled on existing unencrypted volumes
Use Cases:
- Encrypting data for EC2 instances
- Securing boot volumes and data volumes
Amazon RDS (Relational Database Service)
KMS is used for encryption at rest for RDS databases. When database encryption is enabled during creation, all associated snapshots, backups, and read replicas are automatically encrypted. Once enabled, encryption cannot be disabled.
method:
Encryption at rest
inheritance:
Snapshots, backups, and read replicas are automatically encrypted if the database is encrypted.
immutability:
Once enabled, encryption cannot be disabled.
Use Cases:
- Securing relational databases
Amazon EFS (Elastic File System)
EFS supports encryption at rest using AWS KMS. This encryption can only be enabled when creating a new EFS file system. To encrypt an existing unencrypted EFS, a new encrypted EFS must be created and data copied over.
method:
Encryption at rest
enforcement:
Can only be enabled when creating a new EFS file system
Use Cases:
- Encrypting shared file systems
Amazon ElastiCache
ElastiCache supports encryption at rest using KMS. By default, encryption at rest is enabled for ElastiCache clusters, utilizing either a default KMS key or a customer-managed key.
method:
Encryption at rest
default_state:
Enabled by default
key_options:
Default KMS key or customer-managed key
Use Cases:
- Encrypting in-memory data for caching
AWS Backup
AWS Backup vaults can be encrypted using KMS keys. This can be the default AWS managed KMS key or a customer-managed KMS key, enhancing the security of your backup data.
method:
Backup vault encryption
key_options:
Default AWS managed KMS key or customer-managed KMS key
IAM Access Analyzer
KMS keys are among the resource types supported by IAM Access Analyzer, allowing the tool to identify KMS keys that can be accessed publicly or from external AWS accounts.
supported_resource_type:
KMS Keys
Use Cases:
- Auditing external access to encryption keys
Server-Side Encryption with AWS KMS (SSE-KMS) offers a managed encryption solution for Amazon S3 objects, integrating directly with AWS Key Management Service.
SSE-KMS integrates with AWS Key Management Service (KMS) for managing encryption keys, providing customer control over key usage and auditing.
SSE-KMS is not the default encryption method and must be explicitly selected. Users can choose between an AWS managed Customer Master Key (CMK) or a customer managed CMK, with the latter providing more control over the key's lifecycle and access policy.
When uploading objects, specific HTTP headers are required to indicate SSE-KMS encryption and specify the KMS CMK ID.
Technical Specs: Headers: X-Amz-Server-Side-Encryption: aws:kms, X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: <KMS CMK ID>
S3 requests a plaintext data key and an encrypted copy of the data key from KMS. KMS generates the data key, encrypts it with the CMK, and returns both to S3. S3 then encrypts the object using the plaintext data key, removes the plaintext key from memory, and stores the encrypted object along with the encrypted data key as metadata.
For decryption, S3 sends the encrypted data key to KMS. KMS decrypts the data key using the CMK and returns the plaintext data key to S3. S3 then decrypts the object using the plaintext data key, removes the plaintext key from memory, and finally returns the unencrypted object to the user.
DSSE-KMS provides an enhanced security option for S3 objects, offering two independent layers of AES-256 encryption.
DSSE-KMS provides two independent layers of AES-256 encryption for S3 objects, enhancing data protection.
The initial layer encrypts data using a unique data encryption key generated by KMS.
The data, already encrypted by the first layer, is encrypted again using AES-256 with a key managed by Amazon S3 (SSE-S3).
Specific HTTP headers are used during object uploads to enable DSSE-KMS encryption.
Technical Specs: Headers: X-Amz-Server-Side-Encryption: aws:kms:dsse, X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: <KMS CMK ID>
While both KMS and CloudHSM provide key management, they cater to different compliance and control requirements, offering distinct levels of hardware security and management overhead.
| Option |
Key Concept |
Hardware Compliance |
Control Level |
| Foundation for encryption in AWS, managing the lifecycle of encryption keys. |
Highly available and durable service for AWS-managed and customer-managed keys. |
Managed by AWS, with options for customer-managed keys. |
| Dedicated hardware security module for strict compliance requirements. |
Provides FIPS 140-2 Level 3 validated hardware for key storage. |
Customer-controlled physical key storage. |