Intro
- Regional service (keys are bound to a region)
- Provides encryption and decryption of data and manages keys required for it
- Encrypted secrets can be stored in the code or environment variables
- Encrypt up to 4KB of data per API call (if data > 4 KB, use envelope encryption)
- Integrated with lAM for authorization
- Audit key usage with CloudTrail
- Need to set IAM Policy & Key Policy to allow a user or role to access a KMS key (encrypt or decrypt data using the key)
- Pay for the number of API calls made to KMS
- Does not support versioning of keys (cannot get back the old key)
KMS Keys (formerly Customer Master Key)
Symmetric keys
- AES-256 encryption
- Must call KMS API to encrypt data
- Necessary for Envelope Encryption
- Two types:
- AWS Managed Keys (free)
- Default KMS key for each supported service
- Fully managed by AWS (cannot view, rotate or delete them)
- Automatic yearly rotation
- Customer Managed Keys (1$ per month)
- Generated in KMS
- Optional automatic yearly rotation
- Generated and imported from outside
- Must be 256-bit symmetric key
- Not recommended
- Manual rotation only
- Deletion has a waiting period (pending deletion state) between 7 - 30 days (default 30 days). The key can be recovered during the pending deletion state.
Asymmetric Keys
- Public (Encrypt) and Private Key (Decrypt) pair