Using AWS KMS

3 Types of Keys in AWS KMS
To deploy good encryption practices, you must have control over your encryption keys. In AWS, this is all done through the AWS Key Management Service (KMS) feature, which allows you to create, control, and manage customer master keys (CMKs). In this demo, we will spotlight the three types of CMKs that are used in AWS KMS, including: 

  1. AWS managed keys are created by AWS on behalf of the customer. They are unique to your account, but do not provide as much control as other types of CMKs. 
  2. Customer managed keys are created by the customer and provide many more control options over configurations. 
  3. Custom key stores are supported by AWS CloudHSM clusters and is certified at FIPS 140-2 Level.

For a visual guide to learning about AWS managed keys, customer managed keys, and custom key stores in relation to CMKs, watch the full demo. 


Transcription 
We are logged into the KMS console within AWS. The thing you notice over here on the left is that there are basically three options that we have. An AWS managed key is created for each of the services where KMS-enabled encryption is provided. So, you see, here, just working through some things, we have one for S3 and one for EBS. These are AWS managed keys. That means that if you try to look at them, you don’t really get a lot to look at. You get a read-only version of what the policy actually says. Then, you also get to look at the cryptographic configuration. Again, these are managed by AWS and we don’t get to define things. We don’t get to extend the policy. We don’t get to change any of the key rotation parameters, or anything like that. But they are presented to you, here, because they are KMS keys that are unique to your account. 

Under customer managed keys, you can see that the customer master keys that we’ve actually defined. I used this key in some of the other videos that we’ve done in this series. If we look at this, you see we get quite a bit more to work with. We actually get to edit our policy. We get to define different deny or allow decisions based on different criteria. Again, we get to see the same cryptographic configurations. These parameters are not changeable after you initially set up a key. We get to define some tags so that we can categorize and organize our keys. We get to enable or disable key rotation. We’ll talk about this in just a second, but there it is. We also get to define some aliases. We could create my-awesome-key. We get to create our own aliases, as well. That is a helpful feature if the annual key rotation does not work in your situation and you need to rotate your keys on something different than that, then your applications could call the key by the alias and you just create new keys using the same alias. That would achieve the same effect. So, a customer master key, a CMK, is the more powerful option. 

Finally, the last option that we have is that we can get our key stores from an AWS CloudHSM service that we might be using. Those are our three options. 

Now, one of the important things to keep in mind when we’re talking about these keys is that these keys, within KMS, are used to protect the data key that is actually used to encrypt the content. For instance, with every file that is written to S3, a unique data key is used to encrypt that file when it is submitted to S3. That data key is then encrypted by these KMS keys, which provides an important capability. We can actually deny access to KMS keys as a form of access control, so that even though the user might be able to see the file, they might not be able to download the unencrypted version of it. That is an important capability as you think about your encryption strategies. Another use case for KMS keys is in both RDS and EBS, so your Relational Database Service as well as your Elastic Block Store. In those cases, RDS is really just backed up by an EBS volume. Whenever you create an RDS instance and you can use a KMS key to encrypt both the EBS volumes as well as RDS data stores. In that case, you are encrypting the volume key that is actually used by EBS to actually encrypt and decrypt the data, itself. Again, KMS keys in all the use cases protect the encryption key that is actually used to encrypt the data.

Related Videos

Basic Tools for AWS Security
Cloud Attacks on the Rise
Do All Keys Have Resources Attached?
Enable Role Based Access Control (RBAC) for Azure Key Vault
Encrypt Kubernetes Secrets Using Keys
Encrypting Traffic In and Out of AWS
Encryption Decisions for Your Technology Stack
Encryption Opportunities
Encryption for EBS Volumes
Encryption for S3 Buckets
Enforce Separation of Duties When Assigning KMS Related Roles
Enforcing Strong TLS Ciphers
Ensure KMS Cryptokeys Are Not Publicly Accessible
Ensure Use of CMKs for Unattached Disks
Ensure that Virtual Hard Disks Are Encrypted
Ensure that an Expiration Date Is Set for All Keys in Non-RBAC Key Vaults
Ensure that an Expiration Date Is Set for All Secrets in Non-RBAC Key Vaults
Ensure the Key Vault Is Recoverable
Events that Drive Key Rotation
FAQs for Amazon S3 Security
How to Configure Encryption for EBS Volumes on Existing EC2 Instances
How to Configure Encryption for EBS Volumes on New EC2 Instances
How to Configure Encryption for RDS
How to Configure Encryption for S3 Buckets
Install Endpoint Protection for All Virtual Machines
Introduction to Amazon Inspector
Key Rotation and Management
Load Balancers Must Require TLS 1.2
Only Install Company-Approved Extensions on Your Virtual Machines
PCI Requirement 3.1 - Keep Cardholder Data Storage to a Minimum
PCI Requirement 3.2 - Do Not Store Sensitive Authentication Data After Authorization
PCI Requirement 3.3 Mask PAN when Displayed
PCI Requirement 3.4 Render PAN Unreadable Anywhere it Is Stored
PCI Requirement 3.4.1 Logical Access Management
PCI Requirement 3.5 Document & Implement Procedures to Protect Keys
PCI Requirement 3.5.1 Maintain a Documented Description of The Cryptographic Architecture
PCI Requirement 3.5.2 Restrict Access to Cryptographic Keys
PCI Requirement 3.5.3 Store Secret and Private Keys Used to Encrypt/Decrypt Cardholder Data
PCI Requirement 3.5.4 Store Cryptographic Keys in The Fewest Possible Locations
PCI Requirement 3.6 Document & Implement all Key-Management Processes & Procedures
PCI Requirement 3.6.1 Generation of Strong Cryptographic Keys
PCI Requirement 3.6.2 Secure Cryptographic Key Distribution
PCI Requirement 3.6.3 Secure Cryptographic Key Storage
PCI Requirement 3.6.4 Cryptographic Key Changes at Cryptoperiod Completion
PCI Requirement 3.6.5 Replacing Weakened Keys
PCI Requirement 3.6.6 Using Split Knowledge & Dual Control
PCI Requirement 3.6.7 Prevention of Unauthorized Substitution of Cryptographic Keys
PCI Requirement 3.6.8 Key-Custodian Responsibilities
PCI Requirement 3.7 Security Policies & Operational Procedures
PCI Requirement 4.1 – Use Strong Cryptography & Security Protocols to Safeguard Sensitive CHD
PCI Requirement 4.1.1 – Ensure Wireless Network Transmitting CHD Use Strong Encryption
PCI Requirement 4.3 – Ensure Security Policies and Procedures are Known to all Affected Parties
PCI Requirements 3.2.1, 3.2.2, & 3.2.3 Do Not Store Tracks, Codes, or PINs After Authorization
Preventing Public Accessibility on DB Instances
Re-Keying for Decryption
Requirement 4 - Encrypt Transmission of Cardholder Data Across Open, Public Networks
Requirement 4.2 – Never Send Unprotected PAN by End-User Technologies
Rotate KMS Encryption Keys Regularly
Route 53 Support for DNSSEC
Set Expiration Date for All Keys in RBAC Key Vaults
Set Expiration Date for All Secrets In RBAC Key Vaults
Take Advantage of Automatic Key Rotation within Azure Key Vault
The AWS Shared Responsibility Model
Use CMEK To Secure GKE Storage
Using Prowler to Evaluate AWS Security
Using S3 Versioning
Using TLS 1.2 to Encrypt Data in Transit
Utilize CMKs for OS and Data Disks