Intro

• Regional service (keys are bound to a region)
• Provides encryption and decryption of data and manages keys required for it
• Encrypted secrets can be stored in the code or environment variables
• Encrypt up to 4KB of data per API call (if data > 4 KB, use envelope encryption)
• Integrated with lAM for authorization
• Audit key usage with CloudTrail
• Need to set IAM Policy & Key Policy to allow a user or role to access a KMS key (encrypt or decrypt data using the key)
• Pay for the number of API calls made to KMS
• Does not support versioning of keys (cannot get back the old key)

KMS Keys (formerly Customer Master Key)

Symmetric keys

• AES-256 encryption
• Must call KMS API to encrypt data
• Necessary for Envelope Encryption
• Two types:
  • AWS Managed Keys (free)
    • Default KMS key for each supported service
    • Fully managed by AWS (cannot view, rotate or delete them)
    • Automatic yearly rotation
  • Customer Managed Keys (1$ per month)
    • Generated in KMS
      • Optional automatic yearly rotation
    • Generated and imported from outside
      • Must be 256-bit symmetric key
      • Not recommended
      • Manual rotation only
    • Deletion has a waiting period (pending deletion state) between 7 - 30 days (default 30 days). The key can be recovered during the pending deletion state.

Asymmetric Keys

• Public (Encrypt) and Private Key (Decrypt) pair