Chloe McAree (McAteer)
Published on

AWS KMS & Cloud HSM

Authors

This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.

Key Management Service (KMS) Summary

KMS Logo

  • KMS is a managed service that allows you to create and control encryption keys (Customer Master Keys).

  • Can integrate with most other AWS services to increase security and make it easier to encrypt your data.

  • Allows you to control access to the keys using things like IAM policies or key policies.

  • Provides you with a central place to manage all keys.

  • Encrypt/decrypt up to 4KB.

  • Pay per API call.

  • Validated under FIPS 140–2 (Level 2 ) security standard.

Types of Customer Master Keys (CMKs)

  1. Customer Managed CMKs → Keys that you have created in AWS, that you own and manage. You are responsible for managing their key policies, rotating them and enabling/disabling them.

  2. AWS Managed CMKs → These are free and are created by an AWS service on your behalf and are managed for you. However, only that service can use them.

  3. AWS Owned CMKs → owned and managed by AWS and shared across many accounts.

Symmetric CMKs

  • With symmetric keys, the same key is used to encrypt and decrypt

  • The key never leaves AWS unencrypted

  • Must call the KMS API to use a symmetric key

  • The AWS services that integrate with KMS use symmetric CMKs

Asymmetric CMKs

  • Asymmetric keys are mathematically related public and private key pairs.

  • The private key never leaves AWS unencrypted.

  • You can call the KMS API with the public key, which can be downloaded and used outside of AWS.

  • AWS services that integrate with KMS DO NOT support asymmetric keys.

Cloud Hardware Security Module (HSM) Summary

  • Dedicated cloud-based hardware security module for creating, using and managing your own encryption keys in AWS.

  • Conforms to FIPS 140–2 (level 3) security standard

  • No access to the AWS managed component and AWS does not have visibility or access to your keys.

  • Works with industry standard APIs, there are no AWS APIs for HSM

  • CloudHSM runs within a VPC in your account

  • Keys are irretrievable if lost and can not be recovered.