Read Time: 15 minutes

AWS provides many services, including database, storage, networking, and many more. AWS Key Management Service (KMS) is one of the most popular services offered by AWS. It is a beneficial service that helps in dealing with sensitive data and managing cryptographic keys.

What is AWS Key Management Service (KMS)?

AWS KMS is a service that can be integrated with various other AWS services. It can be used to create, store, and control cryptographic keys to encrypt data in your application. With the help of the AWS KMS service, a user can control access to the encrypted data. AWS KMS provides almost 100 percent of the durability of cryptographic keys.

Keys are stored in multiple Availability Zones (AZ’s) that ensure the high availability of keys. AWS KMS is integrated with CloudTrail, which allows users to audit the purpose for which the key is used, when it was used, and by whom the key was used.

Some Important Points about AWS KMS

  • The keys generated in a region cannot be sent outside of that region.
  • KMS uses an AWS Hardware Security Module (HSM), which is FIPS 140-2 compliant, to store keys.
  • AWS KMS allows controlling access to master keys.
  • Users can encrypt data stored in Amazon EBS, Amazon S3, and Amazon Redshift as AWS KMS is integrated with these services.

How does AWS KMS work?

To learn the inner workings of AWS KMS, we must first learn the terms and concepts used in AWS KMS.

There are two types of keys in AWS KMS:

  1. Customer Master Keys
  2. Data Keys

Customer Master Keys (CMKs)

A CMK is a logical representation of the master key. The CMK contains metadata like key ID, Creation Date, key state, and description of the key and the key material used for encryption and decryption.

By default, Key material is created by AWS KMS. No one can modify, manage, view, or extract the key material. Key material cannot be deleted as well. If a user wants to delete key material, then the user has to delete the CMK. Users can import their key material into a CMK or create key material for CMKs in an AWS CloudHSM Cluster.

AWS CMK provides both Symmetric and Asymmetric CMKs. Symmetric CMKs use a 256-bit key for encryption and decryption. In contrast, asymmetric CMKs use RSA key pairs for encryption and decryption or Signing and verification. An asymmetrically created key, called an ECC key, can only be used for signing and verification. CMKs are created in AWS KMS. CMKs can be managed by the AWS Management Console or the AWS KMS API. All symmetric keys and private asymmetric keys never leave the AWS KMS unencrypted. To perform any cryptographic operation using CMKs, the user must use the AWS KMS API.

There are three types of CMKs supported by AWS KMS:

  1. Customer Managed CMK: Customer Managed CMKs are those CMKs in the user account that the user can create, own, and manage. Users have complete control over Customer Managed Keys, allowing them to establish and manage their key policies, IAM policies, grants, rotation of cryptographic material, etc.
  2. AWS Managed CMK: The CMKs in the user account created and managed by AWS on behalf of the user is known as AWS Managed CMKs. AWS managed CMKs cannot be directly used in cryptographic operations. Users cannot manage, rotate or change the key policies of AWS managed CMKs. However, users can view the key policies and audit their use in AWS CloudTrail (integrated with AWS KMS) in their AWS account.
  3. AWS Owned CMK: The Collection of CMKs owned and managed by AWS for use in multiple clouds is known as an AWS Owned CMK. AWS owned CMKs protect the resources in the user account. These CMKs are not found in the user’s account. With AWS owned CMKs, users do not need to create or manage CMKs. Users cannot view, use, track, or audit them.

Data Keys

The keys used to encrypt data and other data encryption keys are Data Keys. Data keys are used to encrypt a large amount of data as customer master keys (CMKs) cannot encrypt data larger than 4KB. Data keys are used and managed outside of AWS KMS. Data keys are not stored, managed, or tracked by AWS KMS. AWS KMS does not perform any cryptographic operation with data keys, however, users can generate, encrypt, and decrypt data keys with the help of AWS KMS customer master keys (CMKs). Data keys can encrypt and decrypt data in other AWS services like Amazon S3, EBS, EC2, etc.

  • Create data key
    AWS KMS uses user-specified CMKs to generate a data key. A data key can be generated by calling the GenerateDataKey operation. This operation returns two copies of the data key, one in plaintext and the other one encrypted under the CMK. Another operation, GenerateDataKeyWithoutPlaintext, can also be used, which returns a single copy of the data key that is encrypted under CMK.
    Before using an encrypted data key, ask AWS KMS to decrypt it.
  • Encrypting data with a data key
    As mentioned earlier, AWS KMS does not use data keys to perform any cryptographic operation. To encrypt data with a data key, use a plaintext data key, encrypt data outside of AWS KMS, and delete it from memory, then, store the encrypted data key.
  • Decrypting data with a data key
    To decrypt data outside of AWS KMS with a data key, the Decrypt operation is used to decrypt the encrypted data key, which returns a plaintext copy of the data key.
    Now, Data outside of AWS KMS can be decrypted using a plaintext data key. The user must remove the plaintext data key from memory after using it.
    The following diagram show how the Decrypt operation decrypt the Encrypted Data Key:
  • Data Key Pair
    Users can create an asymmetric data key pair consisting of mathematically related private and public keys. Generally, these key pairs are used for client-side encryption and decryption or the signing and verification process outside of AWS KMS.
    The private key of each data key is protected by AWS KMS using user-specified symmetric CMKs, but users have to manage and use the data key pair outside the AWS KMS as it does not track, manage or use data key pairs to perform any cryptographic operations.
    Users can generate the following data key pairs in AWS KMS:  
    • RSA key pair of 2048 bit, 3076 bit, and 4096 bits. Generally used for encryption and decryption.
    • Elliptical Curve key pair: ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P512, and ECC_SECG_P256K1. Generally used for Signing and verification.
  • Creating a Data key Pair
    To generate a data key pair, the user needs to call the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation according to the requirement and specify a symmetric CMK that will encrypt the private key.
    GenerateDataKeyPair operations generate three keys: a plaintext public key, a plaintext private key, and an encrypted private key. In contrast, GenerateDataKeyPairWithoutPlaintext generates two keys: a plaintext public key and an encrypted private key.
  • Encrypting data with a data key pair
    The public key of a data key pair is used to encrypt the data, and the private key of the same data key pair is used to decrypt the data.
  • Decrypting data with a data key pair
    The plaintext private key of the same data key pair whose public key was used for encryption is used to decrypt the data. The Decrypt operation is used to decrypt the encrypted private key of a data key pair, and remove the plaintext private key from memory after using it.
  • Signing messages with a data key pair
    The plaintext private key of a data key pair is used to generate a cryptographic signature for a message, and anyone with the public key of the same data key pair can use it to verify the signature.
    If the private key is encrypted with the AWS CMK, the Decrypt operation is used, which returns the private key in plaintext format used for signing purposes. As always, the user should remove the plaintext private key from memory after use.
  • Verifying a message with a data key pair
    The public key of the data key pair is used for verification. The public key should belong to the same data key pair whose private key was used for Signing. Verification of the signature confirms that an authorized user signed the message and it has not been altered.
  • Aliases
    Users can give a friendly name to a CMK known as an Alias. For example, the CMK name is 9897aswd-34dw-1234-89hg-asdkal212012, the user can give it an alias of key-01. With the help of an alias, users can easily identify a CMK in AWS KMS operations.
  • Cryptographic Operations
    The AWS SDK, AWS Tools for PowerShell, or AWS Command Line Interface (AWS CLI) is required to perform any cryptographic operations with CMKs because CMKs remain within AWS KMS. Users cannot perform any cryptographic operation with CMKs in the AWS KMS console.

Below is a table which summarizes the AWS KMS cryptographic operations:

OperationCMK Key TypeCMK Key Usage
DecryptSymmetric/AsymmetricENCRYPT_DECRYPT
EncryptSymmetric/AsymmetricENCRYPT_DECRYPT
GenerateDataKeySymmetricENCRYPT_DECRYPT
GenerateDataKeyWithoutPlaintextSymmetricENCRYPT_DECRYPT
GenerateDataKeyPairAsymmetricENCRYPT_DECRYPT
GenerateDataKeyPairWithoutPlaintextAsymmetricENCRYPT_DECRYPT
ReEncryptSymmetric/AsymmetricENCRYPT_DECRYPT
SignAsymmetricSIGN_VERIFY
VerifyAsymmetricSIGN_VERIFY

Note:  GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations generate asymmetric data key pair which symmetric CMKs protect it.

  • Envelope Encryption
    Users can protect their plaintext data by encrypting it with a key, but how do they protect the encryption key? This brings in the concept of Envelope encryption, where the plaintext data is encrypted with the data keys, and the data keys are encrypted with master key. AWS KMS is responsible for the security of the master key. Master keys are stored and managed by AWS KMS and never leave the HSM unencrypted.
    Benefits of Envelope Encryption:  
    • Protecting data keys: The data keys are inherently protected by encrypting them with CMKs. So, the encrypted data keys can be safely stored with encrypted data.
    • Encrypting the data key with master key: Encrypting large data with data keys, again and again, can be a time-consuming process. So, instead of encrypting data repeatedly, the encryption key can be encrypted with a master key.
    • Combining the strength of multiple algorithms: Envelope Encryption enables you to use the strength of both Symmetric and Asymmetric algorithms.
  • Key Policy
    Users can define the permissions for CMK in a document called a key policy. Users can add, remove or change permissions at any time for Customer Managed Keys, but cannot edit the AWS Managed CMK as AWS manages it on behalf of the user.
  • Grant
    Grants are temporary permissions that users can create, use, and delete without changing key or IAM policies. Grants are also considered with IAM policies and key policies when users access a CMK.
  • Auditing CMK Usage
    AWK KMS is integrated with CloudTrail, which can be used to audit key usage. CloudTrail creates log files for AWS API calls and related events in the account. These log files contain all AWS API requests from AWS SDK, AWS Management Console, or AWS command-line tools. These log files can be used to find important information like when the CMK was used, which operation was requested, requester identity, and the source IP address.

Creating Customer Managed Symmetric CMKs

A user should follow the following steps to create Customer Managed Symmetric CMK using AWS Management Console:

  1. Sign in to the AWS management console and open the AWS KMS console.
  2. You can change the AWS region from the upper-right corner of the page.
  3. Choose customer manages keys from the navigation pane.
  4. Choose create key.
  5. In Key type, select the type of CMK, i.e., Symmetric.
  6. Click on Next.
  7. Create an alias for the CMK.
  8. Type the description for the CMK. (Optional)
  9. Click on Next.
  10. Type a tag key and tag value. (Optional)
  11. Click on Next.
  12. Select IAM users and roles that can administer the CMK.
  13. Clear Allow key administrators to delete this key check box if you do not want to allow IAM users and roles to delete this key. (Optional)
  14. Click on Next.
  15. Select IAM users and roles that can use the CMK to perform cryptographic operations.
  16. In the Other AWS accounts section, click on Add another AWS account and type AWS account identification number to allow them to use this CMK for cryptographic operations. (Optional)
  17. Click on Next.
  18. Review the key configuration that you have done.
  19. Click on Finish to create the CMK.

Creating Customer Managed Asymmetric CMKs

A user should follow the following steps to create Customer Managed Symmetric CMK using AWS Management Console:

  1. Sign in to the AWS management console and open the AWS KMS console.
  2. You can change the AWS region from the upper-right corner of the page.
  3. Choose customer manages keys from the navigation pane.
  4. Choose create key.
  5. In Key type, select the type of CMK, i.e., Asymmetric.
  6. In Key usage, select the purpose for which key is created, i.e., Encrypt and decrypt or Sign and verify.
  7. Select the specification of your asymmetric CMK.
  8. Click on Next.
  9. Create an alias for the CMK.
  10. Type the description for the CMK. (Optional)
  11. Type a tag key and tag value. (Optional)
  12. Click on Next.
  13. Select IAM users and roles that can administer the CMK.
  14. Clear Allow key administrators to delete this key check box if you do not want to allow IAM users and roles to delete this key. (Optional)
  15. Click on Next.
  16. Select IAM users and roles that can use the CMK to perform cryptographic operations.
  17. In the Other AWS accounts section, click on Add another AWS account and type AWS account identification number to allow them to use this CMK for cryptographic operations. (Optional)
  18. Click on Next.
  19. Review the key configuration that you have done.
  20. Click on Finish to create the CMK.

Benefits of AWS KMS

  1. Fully managed: AWS KMS provides full control access to encrypted data by enforcing the permissions defined by the user to use keys.
  2. Centralized key management: AWS KMS provides a single control point to manage and define key policies. Users can create, import, manage, delete, or rotate keys from the AWS key management console, or use AWS CLI or SDK.
  3. Digitally Sign data: The user can generate an asymmetric key in AWS KMS and can perform digital signing operations to maintain the integrity of the data.
  4. Secure: In AWS KMS, keys are generated and protected in Hardware security modules (HSMs) validated under FIPS 140-2. For security, keys are only used inside HSMs and can never be shared outside the AWS region in which they were created.
  5. Built-in auditing: AWS KMS is integrated with CloudTrail to help in monitoring key usage to meet regulatory and compliance needs.

Below is the table which summarizes the AWS Key Management Service Crypto Properties:

AWS Key Management Service Crypto Properties
 
Tenant Multi-Tenant
Standard FIPS 140-2 Level 2
Master Keys
  • Customer Owned Master key
  • AWS Managed Master Key
  • AWS owned Master key
Crypto Keys
  • Symmetric
  • Asymmetric
    AES in XTS mode only
Crypto API AWS SDK/API for KMS
Access Authentication/Policy AWS IAM Policy
Key Accessibility Accessible in multiple regions (Keys outside the region in which created cant be used)
High Availability AWS Managed Service
Audit Capability
  • CloudTrail
  • Cloud Watch
TenantMulti-TenantStandardFIPS 140-2 Level 2Master Keys
  • Customer Owned Master key
  • AWS Managed Master Key
  • AWS owned Master key
Crypto Keys
  • Symmetric
  • Asymmetric
    AES in XTS mode only
Crypto APIAWS SDK/API for KMSAccess Authentication/PolicyAWS IAM PolicyKey AccessibilityAccessible in multiple regions (Keys outside the region in which created cant be used)High AvailabilityAWS Managed ServiceAudit Capability
  • CloudTrail
  • Cloud Watch
 
TenantMulti-Tenant
StandardFIPS 140-2 Level 2
Master Keys
  • Customer Owned Master key
  • AWS Managed Master Key
  • AWS owned Master key
Crypto Keys
  • Symmetric
  • Asymmetric
    AES in XTS mode only
Crypto APIAWS SDK/API for KMS
Access Authentication/PolicyAWS IAM Policy
Key AccessibilityAccessible in multiple regions (Keys outside the region in which created cant be used)
High AvailabilityAWS Managed Service
Audit Capability
  • CloudTrail
  • Cloud Watch
Move your IT infrastructure to Cloud.

AWS CloudHSM

AWS CloudHSM is an AWS hardware security module that is customer-owned and managed. AWS CloudHSM acts as a single-tenant on hardware, restricting it from being shared with other customers and applications. Organizations can utilize AWS CloudHSM for those wanting to use HSMs to administer and manage encryption keys, but not have to worry about managing HSM Hardware in a datacenter.
AWS CloudHSM allows FIPS 140-2 Level 3 overall validated single-tenant HSM clusters in your Amazon Virtual Private Cloud (VPC) to store and use your keys. Complete control is given to users whose keys are used through an authentication mechanism separate from AWS.

AWS CloudHSM supports multiple use cases, including the following: management of Public/Private key pairs for Public Key Infrastructure (PKI), Code & Document Signing, or storing private keys for various services such as database, storage, and web applications, storing keys for DRM solution. AWS CloudHSM will allow your organization to meet compliances of key management requirements with the use of Hardware Security Modules supervised by AWS with the ability to incorporate multiple platforms to store keys.

Below is the table which summarizes the AWS Cloud HSM Crypto Properties

AWS CloudHSM Crypto Properties
 
Tenant Single-Tenant
Standard FIPS 140-2 Level 3
Common Criteria EAL4+( supported by cloudHSM classic older model)
Master Keys Master Key HSM
Crypto Key types
  • Symmetric – AES (Modes supported CBC, GCM and ECB)
  • Asymmetric – RSA, ECC
  • Hashing – SHA-256, SHA-512, RSA, ECDSA
API Support
  • PKCS11
  • OpenSSL
  • JCE
  • Crypto next generation (CNG)
Access Authentication/Policy Quorum based K of N principle
Key Accessibility Can be accessed and shared across multiple VPC
High Availability ADD HSM in Different Availability Zones
Audit Capability
  • CloudTrail
  • Cloud Watch
  • MFA support
TenantSingle-TenantStandardFIPS 140-2 Level 3
Common Criteria EAL4+( supported by cloudHSM classic older model)
Master KeysMaster Key HSMCrypto Key types
  • Symmetric – AES (Modes supported CBC, GCM and ECB)
  • Asymmetric – RSA, ECC
  • Hashing – SHA-256, SHA-512, RSA, ECDSA
API Support
  • PKCS11
  • OpenSSL
  • JCE
  • Crypto next generation (CNG)
Access Authentication/PolicyQuorum based K of N principleKey AccessibilityCan be accessed and shared across multiple VPCHigh AvailabilityADD HSM in Different Availability ZonesAudit Capability
  • CloudTrail
  • Cloud Watch
  • MFA support
 
TenantSingle-Tenant
StandardFIPS 140-2 Level 3
Common Criteria EAL4+( supported by cloudHSM classic older model)
Master KeysMaster Key HSM
Crypto Key types
  • Symmetric – AES (Modes supported CBC, GCM and ECB)
  • Asymmetric – RSA, ECC
  • Hashing – SHA-256, SHA-512, RSA, ECDSA
API Support
  • PKCS11
  • OpenSSL
  • JCE
  • Crypto next generation (CNG)
Access Authentication/PolicyQuorum based K of N principle
Key AccessibilityCan be accessed and shared across multiple VPC
High AvailabilityADD HSM in Different Availability Zones
Audit Capability
  • CloudTrail
  • Cloud Watch
  • MFA support

Custom Key Store

The Custom Key store feature of AWS KMS provides a way of integrating AWS CloudHSM clusters easily with AWS KMS.

Users can configure their CloudHSM cluster to store keys rather than the default KMS key store.

Users can also generate key material within the CloudHSM cluster. The master keys generated in the customer key store never leave the AWS Hardware Security Module in the CloudHSM Cluster in plaintext form, and all the cryptographic operations required by KMS are performed within the HSMs.

Conclusion:

AWS CloudHSM provides single-tenant key storage giving organizations FIPS 140-2 Level 3 compliance. CloudHSM allows full control of your keys, including Symmetric (AES), Asymmetric (RSA), SHA-256, SHA 512, Hash-Based, or Digital Signatures (RSA). On the other hand, AWS Key Management Service is multi-tenant key storage owned and managed by AWS. AWS KMS allows Customer Master Keys for symmetric key encryption (AES-256-XTS) and asymmetric keys (RSA or elliptic curve (ECC)). Suppose your organization’s key management strategy for encryption will be running a singular cloud service provider for now and for the foreseeable future. In that case, AWS KMS will provide the simplest environment to maintain the keys. However, suppose you are planning to take advantage of multiple cloud providers but do not wish to maintain the HSMs. In that case, AWS CloudHSM may be the solution for your organization that allows separating encryption keys from the data of the other platforms that are being utilized.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read Time: 08 min

Data encryption on the cloud is the most prominent thought every security professional has in their mind these days. While performing data encryption, Security keys are of the utmost importance. When it comes to managing a single security key manually, it is relatively easy, however, if the number of security keys in use are huge, the task of managing those keys becomes cumbersome. Thus, the need arises for automated key management services for data encryption.

AWS KMS (Key Management Service) provides an easy to use WebUI to deal with the management of security keys to protect data-at-rest and data-in-use. AWS KMS is a placeholder for CMK (Customer Master Key) resources containing key metadata to encrypt & decrypt the data. Also, AWS KMS can be integrated with various other AWS services, such as Redshift, EBS, EFS, S3, and Secret Manager, to name a few.

In today’s post, we will discuss the key concepts of AWS KMS and its various features and integration with other AWS services.

Key Types

  1. AWS Managed CMKsThese CMKs are created, managed and used by an AWS service integrated with KMS on behalf of the customer in theirs AWS account. For example, “aws/s3” is the default key in S3 and is used only for your account to encrypt your S3 buckets.
  2. Customer Managed CMKsThese CMKs are created, managed and used by the customer in the AWS account. This is the most widely used method while using KMS, as it provides complete granular level access control over the security keys in an AWS account.
  3. AWS Owned CMKsThese CMKs are owned and managed by AWS service/s for use in multiple AWS accounts. The key for these CMKs is not visible to users. For example, if you choose S3 default encryption, S3 uses its own KMS CMKs that are shared across multiple AWS accounts.

Data Keys

Data keys are encryption keys that the user can use to encrypt large amounts of data and other data encryption keys. Users can use AWS CMKs to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track the data keys or perform cryptographic operations with data keys. Users must use and manage data keys outside of AWS KMS’ scope.

Access Control to KMS CMKs

The primary way to control the access to your AWS KMS CMKs is with IAM & Key policies. Policy is a combination of declarative statements that describe who has access to what.

  1. IAM PoliciesPolicies attached to an IAM identity are called identity-based policies.
  2. Key PoliciesPolicies attached to resources are called resource-based policies.

In AWS KMS, you must attach resource-based policies to your CMKs i.e. key policies. IAM policies alone cannot permit access to CMKs to IAM users or roles.

Type of CMKCMK management via IAM PolicyCMK management via Key PolicyCan view **CMK MetadataUsed only for specific user accountAutomatic Rotation
Customer ManagedYesYesYesYesOptional*
AWS ManagedNoNoYesYesEvery 3 Years
AWS OwnedNoNoNoNoVaries

* Be default “Automatic Rotation” is disabled, however, user can enable it upto 1 year.

** CMK Metadata is information about the CMK such as Key identifiers, Origin, KeyUsage, KeyState etc.

For example, the metadata type “Origin” signifies the source of the CMK’s key material. When this value is AWS_KMS, AWS KMS created the key material. When this value is EXTERNAL, the key material was imported from external key management infrastructure. When this value is AWS_CLOUDHSM, the key material was created in the AWS CloudHSM cluster associated with a custom key store.

Symmetric and Asymmetric CMKs:

AWS KMS protects the CMK that you use to protect your data and data keys. The CMKs are generated and used only in hardware security modules designed so that no one can access the plaintext key material.

AWS KMS supports symmetric and asymmetric CMKs:

  • Symmetric CMK: This represents a single 256-bit secret encryption key that never leaves AWS KMS unencrypted.
  • Asymmetric CMK: This represents a mathematically related public key and private key pair that you can use for encryption and decryption or signing and verification, but not both. The private key never leaves AWS KMS unencrypted. You can use the public key within AWS KMS by calling the AWS KMS API operations, or download the public key and use it outside of AWS KMS.

AWS KMS also provides symmetric data keys and asymmetric data key pairs that are designed to be used for client-side cryptography outside of AWS KMS. The symmetric data key and the private key in an asymmetric data key pair are protected by a symmetric CMK in AWS KMS.

KMS Custom Key store

A key store is a secure location for storing cryptographic keys. By default, the customer master keys (CMKs) that you create in AWS KMS are generated in and protected by hardware security modules (HSMs) that are FIPS 140-2 Level 2 compliant cryptographic modules. The CMKs never leave the modules unencrypted.

A custom key store is an AWS KMS resource that is associated with an AWS CloudHSM cluster backed by FIPS 140-2 Level 3 HSMs that are owned and managed by user.

When a user creates an AWS KMS CMK in their custom key store, AWS KMS generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key in the associated AWS CloudHSM cluster. This key material never leaves your HSM unencrypted. When you use a CMK in a custom key store, the cryptographic operations are performed in the HSMs in the cluster.

What is Bring Your Own Key (BYOK):

A CMK is a logical representation of a master key in which the key material is generated and owned by the AWS. However, users can create a CMK without any key material, and then import external key material into that CMK. This is known as BYOK i.e. Bring Your Own Key

Imported key material is supported for symmetric CMK in AWS KMS key stores; however, this is not supported for asymmetric CMK and Custom Key stores as well.

When imported key material is used, the users remain responsible for the key material while allowing AWS KMS to use a copy of it. This is a common use case where the user wants to have complete control over the key material for regulatory/business/compliance/legal purpose.

Conclusion

AWS KMS is a widely used KMS service among all the KMS as-a-service options available from Cloud vendors. Since AWS KMS provides multiple options for CMKs, it becomes difficult to decide at times which option one should choose under different scenarios. Considering the functionality and feature set available in each CMK, if a user wants to use a key available to all IAM entities in its AWS account, AWS Managed CMK is better choice as the CMK is available for all the IAM users in the same account. However, if user wants to have a granular access control over keys then Customer Managed CMK or BYOK appears to be a better option.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read Time: 15 min.

Encryption is one of the most basic requirements for ensuring data privacy, especially for end-to-end protection of data transmitted across networks. Plain text is encrypted using an encryption algorithm and an encryption key. Encryption converts the readable text to an unreadable text which is called ciphertext (encrypted data).

In today’s blog, we will discuss various encryption options of the AWS Simple Storage Service known as S3. S3 is highly reliable, secure, and inexpensive compared to on-premises (On-prem) data storage for storage-intensive applications e.g. Hadoop EMR. S3 stores the data as objects called “Buckets” and each object can be up to 5 TB in size.

Encryption Methodologies

AWS S3 offers both encryption methodologies, Encryption in Transit and Encryption at Rest.

Encryption in Transit

Encryption in Transit for Amazon S3 can be facilitated with the help of SSL/TLS at the client end as well as with the below similar bucket policy at the bucket level:

{
  "Id": "Policy1600282742195",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1600282739517",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::mysecures3buket",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    }
  ]
}

Encryption at Rest

Encryption at Rest can further be classified into Client-side encryption and Server-side encryption as well. For both server-side and client-side encryption, AWS utilizes AES-256 with Galois Counter Mode (GCM) for any symmetric key encryption operations. GCM provides authenticated encryption by adding a unique tag to the ciphertext which verifies that the encrypted data has not been tampered with in any way.

Client-side Encryption

In Client-side encryption, the data is encrypted before sending it to the S3 bucket. To implement Client-side encryption in S3, we have the following two options:

  • Use a CMK (customer master key) stored in AWS KMS (Key Management Service)
  • Use a Customer provided master key stored in the customer’s proprietary application

Note

Your client-side master keys and your unencrypted data are never sent to AWS. It’s really important that you manage your encryption keys with the utmost care. If you lose them, you can’t decrypt your data.

Server-side Encryption

In Server-side encryption, the data is encrypted after being sent to the S3 bucket and before storing it in the S3 bucket.

Server-side encryption has the following three options:

  1. Use Amazon S3-managed keys (SSE-S3)In this, the key material and the key will be provided by AWS itself to encrypt the objects in the S3 bucket.
  2. Use CMK (Customer Master key) in AWS KMS (SSE-KMS)In this, key material and the key will be generated in AWS KMS service to encrypt the objects in S3 bucket.
  3. Use a Customer provided encryption key (SSE-C)In this, the key will be provided by the customer and Amazon S3 manages the encryption and decryption process while uploading/downloading the objects into the S3 bucket.

With SSE-S3, Amazon S3 managed Server-side encryption uses one of the most secure block Ciphers, AES -256 (Advanced Encryption Standard) bit, to encrypt each object with a unique key which means no overlapping keys are used for encrypting the objects. Also, these unique keys are encrypted with a Master key which is rotated regularly to yield additional data security.

With SSE-KMS, Amazon S3 uses the AWS KMS functionality to encrypt the data in the S3 bucket. Combining Amazon S3 with the AWS KMS provides a perfect blend of security and availability.

Following is the diagrammatic illustration of how SSE-KMS works:

  1. CMK, using the encryption algorithm (AES-256), creates two keys, one is a plaintext data key and the other is an encrypted data key.

  2. While uploading the object to the S3 bucket, S3 encrypts the object with the plaintext data key. The encrypted object (Ciphertext) along with the encrypted data key is then stored in S3.

  3. While downloading the object from the S3 bucket, S3 sends the encrypted data key to KMS. KMS matches the correct CMK, then it decrypts the encrypted data key and sends the plaintext data key to S3. S3 then downloads the object by decrypting the object with this plaintext data key.

While using SSE-KMS, you can have the following combinations:

  1. Customer Managed CMK (Customer Master Key)This is a use case where you want to have complete control over the CMK i.e. you may create, rotate, disable, audit, and have complete access control who can use it. If you want to use Customer Managed CMKs, you can create it under the AWS KMS console before using it at the S3 level.
  2. AWS Managed CMK (Customer Master Key)This is a use case where you do not specify a Customer Managed CMK. To facilitate the process for users, Amazon S3 automatically creates an AWS managed CMK in the AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this CMK for SSE-KMS.

Note:

  • All requests (GET and PUT) for an object encrypted by SSE-KMS will give an error if they are not made via https or using SigV4. Amazon SigV4 is an authentication mechanism supported by Amazon S3 for signing the API requests. This enables Amazon S3 to perform the sender/source identification and protects your requests from bad actors.
  • Server-side encryption encrypts only the object data, not the object metadata.

With SSE-C, Amazon S3 performs Server-side encryption with customer-provided encryption keys. With the encryption key provided by the user, Amazon S3 manages the encryption and decryption process while writing and accessing the data on disks consecutively. Since the management of encryption and decryption is taken care of by Amazon S3, there is no requirement to manage the code at the user level. The only requirement from a user perspective is to manage the encryption keys.Amazon S3 uses AES-256 bit encryption to encrypt the data with the customer provided key and removes the key from its memory post completion of the encryption process whereas, in the decryption process, it first verifies and matches if the same key is provided (which was provided during the encryption) and then decrypts the data and make it available to the user.

Note:

Amazon S3 does not store the encryption key, rather, it stores a randomly salted HMAC (hash-based message authentication code) value of the encryption key to validate future requests. The salted HMAC value cannot be used to derive the actual encryption key or to decrypt the contents of the encrypted data which means if you lose the encryption key, you lose the data.

Comparison of S3 encryption options:

S3 offers multiple options to encrypt the data in the S3 bucket. The following table summarizes all the available options to encrypt the data at rest and data in transit:

Encryption at Rest Encryption in Transit Symmetric Key Encryption Asymmetric Key Encryption Responsible party for Data encryption/decryption Responsible party for Secret Storage
AWS:SecureTransport N Y Y Y AWS AWS
SSE-S3 Y N Y N AWS AWS
SSE-KMS (AWS managed CMK) Y N Y N AWS AWS
SSE-KMS (customer managed CMK) Y N Y N AWS AWS
SSE-C Y N Y N AWS Customer
AWS SDK + KMS (AWS managed CMK) Y N Y N Customer AWS
AWS SDK + KMS (customer managed CMK) Y N Y N Customer AWS
AWS SDK + self-managed secret Y N Y Y Customer Customer

Conclusion

Amazon S3 is very well suited if you have an environment with various applications generating a large amount of data. The very reason to choose S3 is not only the fact that it can store the mammoth volume of data at cheaper rates, but it’s durable, scalable, and highly available as well. Data privacy and compliance are vital when it comes to data security, which can be achieved using various encryption methods that Amazon S3 offers. With the use of multiple S3 encryption options, you can relax without worrying about any data being compromised.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

AWS has been architected to be one of the most flexible and secure cloud computing environments available. Designed for a scalable, dependable platform, this enables customers to deploy applications and data securely and rapidly. Organizations are continuously moving their infrastructure and applications to cloud service providers. However, security issues play a significant role in making the migration decision. Today, organizations lack clarity on available options for hosting crypto keys in the cloud. For Amazon Web Services, AWS provides two services of crypto key management on their cloud, AWS Key Management Service (KMS) or AWS CloudHSM.

AWS CloudHSM

AWS CloudHSM is a cloud-based hardware security module that is customer-owned and managed. AWS CloudHSM acts as a single-tenant on hardware restricting it from being shared with other customers and applications. Organizations can utilize AWS CloudHSM for those wanting to use HSMs for administering and managing the encryption keys, but not having to worry about managing HSM Hardware in a data center.

AWS CloudHSM allows FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys. Complete control is given for users how keys are used through an authentication mechanism separate from AWS. AWS CloudHSM supports multiple use cases including the following: management of Public/Private key pairs for Public Key Infrastructure (PKI), Code & Document Signing, storing private keys for various services such as database, storage and web applications, storing keys for DRM solution. AWS CloudHSM will allow your organization to meet compliances of key management requirements with the use Hardware Security Modules supervised by AWS with the ability to incorporate multiple platforms to store keys.

Below is the table which summarizes the AWS Cloud HSM Crypto Properties

AWS CloudHSMCrypto Properties
Tenant Single-Tenant
Standard FIPS 140-2 Level 3
Common Criteria EAL4+( supported by cloudHSM classic older model)
Master Keys Master Key HSM
Crypto Key types
  • Symmetric – AES (Modes supported CBC, GCM and ECB)
  • Asymmetric – RSA, ECC
  • Hashing – SHA-256, SHA-512, RSA, ECDSA
API Support
  • PKCS11
  • OpenSSL
  • JCE
  • Crypto next generation (CNG)
Access Authentication/Policy Quorum based K of N principle
Key Accessibility Can be accessed and shared across multiple VPC
High Availability ADD HSM in Different Availability Zones
Audit Capability
  • CloudTrail
  • Cloud Watch
  • MFA support
AWS Key Management Services (KMS)

AWS KMS allows for your organization to create and control keys for cryptographic operations. This includes key generation, storage, management, and auditing when in the process of encrypting/decrypting or digitally signing data for applications or across AWS services. AWS KMS allows ability of complete security through managed encryption keys across AWS platforms.  Centralized key management gives the user a central point of control for managing keys and defining access policies throughout all integrated AWS services. With AWS KMS, you will have the ability to create a customer master key (CMK) generally known as a master key, use a master key, create and export a data key encrypted by a master key, enable/disable master keys, and audit the usage of master keys in AWS CloudTrail. AWS incorporates Master keys and Data keys. The Master key will not leave the AWS KMS service in an unencrypted form. With AWS KMS, specific access policies can be set for only trusted users that can use CMKs. In AWS KMS, Bring your own key (BYOK) feature is available to import your own key material into that CMK, however, the imported key material is supported only for symmetric CMKs in AES-256-XTS keys in PKCS#1 standard format. AWS KMS can be paired with AWS CloudHSM cluster to create the key material for a CMK that can be managed by AWS KMS service.

AWS Key Management Service Crypto Properties
Tenant Multi-Tenant
Standard FIPS 140-2 Level 2
Master Keys
  • Customer Owned Master key
  • AWS Managed Master Key
  • AWS owned Master key
Crypto Keys
  • Symmetric
  • Asymmetric
    AES in XTS mode only
Crypto API AWS SDK/API for KMS
Access Authentication/Policy AWS IAM Policy
Key Accessibility Accessible in multiple regions (Keys outside the region in which created cant be used)
High Availability AWS Managed Service
Audit Capability
  • CloudTrail
  • Cloud Watch
AWS KMS. And AWS CloudHSM

AWS CloudHSM provides single tenant key storage giving FIPS 140-2 Level 3 compliance. CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed by AWS. AWS KMS allows supports Customer Master Keys for symmetric key encryption (AES-256-XTS) and asymmetric keys (RSA or elliptic curve (ECC).
If your organization’s key management strategy for encryption will be running a singular cloud service provider for now and for the foreseeable future, then AWS KMS will provide the simplest environment to maintain. However, if you are planning on taking advantage of multiple cloud providers but do not wish to maintain the HSM’s, AWS CloudHSM may be the solution for your organization to allow for encryption keys separated from the data of the other platforms that are being utilized.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk