4.5 KiB
AWS Key Management Service
AWS' native encryption keys management service.
TL;DR
Creates and controls encryption keys one can use to encrypt data.
Keys created with KMS are protected by FIPS 140-3 Security Level 3 validated HSMs.
They are created, managed, used, and deleted entirely within the managed service. They never leave KMS
unencrypted. To use or manage keys in KMS, one must interact with the service.
The service costs $0.03 to $12 per 10,000 API calls, depending on the action and type of key used.
Refer Pricing.
Key policies are the primary way to control access to KMS keys.
Every KMS key must have exactly one key policy.
Statements in such policies determine who has permission to use KMS keys, and how they can use it. One can
configure additional IAM policies and grants for keys.
Key policies are Regional.
Important
IAM policies manage access to a KMS key only if the key policy explicitly allows it.
Without permission from the key policy, IAM policies have no effect.
The default key policy enables IAM policies.
No AWS principal, including the account root user and the key creator, has any permissions to a key until a key policy, IAM policy, or grant explicitly allows, and never denies, access to it.
Keys created by customers are referred to as customer managed keys.
They are recommended when wanting full control over the lifecycle and usage of the keys.
Customer managed keys incur in both management and usage costs.
AWS managed keys are keys that exists in an account, but can only be used in the context of an AWS service and only
in the same account. One cannot share resources encrypted under an AWS managed key with other accounts.
They do not allow managing anything about their lifecycle or permissions.
AWS managed keys do not have management costs, but incur in usage costs.
These keys use an alias in the form aws/<service code>, e.g. aws/ebs.
AWS managed keys are a legacy key type, and are no longer being created for new AWS services as of 2021. Instead,
services are now using AWS owned keys to encrypt customer data by default.
AWS owned keys are stored in an AWS account managed by the related AWS service. Only the service's operators can manage
the keys' lifecycle and usage permissions.
By using AWS owned keys, AWS services can transparently encrypt data and allow for cross-account or cross-region sharing
of data.
Customers are not charged for the keys' existence nor their usage, but they cannot change their policies, audit
activities on these keys, nor delete them.
KMS can provide encryption keys for protecting data in other AWS services (e.g., EBS, RDS, S3).
AWS services that integrates with KMS only use symmetric encryption keys to encrypt data.
These services do not support encryption with asymmetric keys.
Asymmetric keys are related public key and private key pairs.
The private key is created in KMS and never leaves the service unencrypted. To use the private key, one must
interact with KMS.
One can use the public key by calling the AWS APIs, or download it and use it outside of KMS.
Use a symmetric encryption KMS key to encrypt the data one stores or manages in an AWS service.
Aliases
Refer Aliases in AWS KMS.
Each key is represented by its key ID, but can have one or more aliases associated.
Aliases allow using a human-friendly name to identify the key they are associated to in some AWS operations.
They are not a property of a key, and actions on the alias do not affect the associated key. However, all
aliases associated with a key are deleted when that key is deleted.
Important
Specifying an alias as resource in an IAM policy will make the policy refer to the alias, not to the key it is associated with.