📖 What is AWS KMS?
AWS Key Management Service (KMS) is a managed service that facilitates the creation and control of cryptographic keys used to encrypt your data. KMS supports symmetric and asymmetric keys, integrating with various AWS services to protect data at rest and in transit, enhancing security posture.
"KMS employs envelope encryption. The Customer Master Key (CMK) encrypts the Data Key, which then encrypts the actual data. Understand the difference between AWS-managed keys, Customer-managed keys, and keys imported into KMS. Be aware of key rotation policies and access control mechanisms."
📚 Certification: AWS Certified Solutions Architect - Associate (SAA-C03)
🔑 What are the Key Concepts of AWS KMS?
- ▸ KMS utilizes envelope encryption: CMKs encrypt data keys, which then encrypt your data, providing a layered security approach.
- ▸ AWS-managed keys are the simplest to use, while Customer-managed keys offer greater control over key lifecycle and permissions.
- ▸ Key rotation is crucial for security; KMS can automatically rotate keys, reducing the impact of potential compromise.
- ▸ IAM policies control access to KMS keys, defining who can perform actions like encrypt, decrypt, and manage keys.
- ▸ KMS integrates seamlessly with other AWS services like S3, EBS, and RDS, simplifying data encryption across your environment.
🎯 How does AWS KMS appear on the SAA-C03 Exam?
You may be asked to identify the most cost-effective and secure method for encrypting data stored in S3, considering KMS integration and key management options.
A scenario might describe a requirement to comply with specific data encryption regulations; determine how KMS can help meet those compliance needs.
Expect questions about choosing the appropriate key type (symmetric vs. asymmetric) based on the use case, such as encrypting large files versus signing code.
❓ Frequently Asked Questions
What's the difference between a CMK and a data key?
A CMK (Customer Master Key) is the master encryption key stored in KMS. Data keys are generated by KMS, used to encrypt your data, and are then encrypted by the CMK. Data keys are ephemeral.
When would I choose to use a Customer-managed key instead of an AWS-managed key?
Choose Customer-managed keys when you need greater control over the key lifecycle, auditing, or need to meet specific compliance requirements. AWS-managed keys are simpler but offer less control.
How does KMS handle key availability and durability?
KMS automatically replicates CMKs across multiple Availability Zones within an AWS region, ensuring high availability and durability. AWS handles the underlying infrastructure and key protection.