• regional service operating in public zone
  • functionality
    • KMS manages cryptographic keys (both symmetric and asymmetric)
    • KMS allows encrypting and decrypting with KMS keys
  • FIPS 140-2 Level 2 compliant: Users may not extract KMS keys
  • KMS key is a logical key (AWS resource) that can be backed by physical key materials (data blobs). This allows key material to be automatically rotated without modifying the logical key.
  • type of keys
    • KMS keys can only encrypt/decrypt 4KB of data at a time max, so it’s only supposed to be used for encrypting Data Encryption Keys (DEKs)
      • bound to a region, but multi-region keys are also available
      • can be AWS-owned or customer-owned
        • AWS-owned key: for multi-account purposes, usually don’t have to deal with them
        • customer-owned key types
          • AWS-managed: created by AWS to manage services like S3
          • customer-managed: created by customer and can be configured, e.g. key policy
      • key rotation
        • AWS-owned: forced annual rotation
        • customer-managed: can be enabled to rotate
    • DEKs: can be created by KMS key to encrypt large amount of data
      • when created: a plaintext version and ciphertext version (KMS-encrypt version)
      • DEK is not AWS-managed. Once DEK is decrypted with KMS key,
  • key policy: a type of resource policy that every key has
    • Note that unlike other services, key must be explicitly set to trust the AWS account that it’s contained in.
    • After account is given trust for a key, identity-based (IAM) policies can be configured.
aws kms encrypt \
    --key-id alias/$key_alias \
    --plaintext fileb://$path_to_file
    --output text
    --query CiphertextBlob \
    | base64 -d > file.enc
 
aws kms decrypt \
    --ciphertext-blog fileb://$path \
    --output text \
    --query Plaintext
    | base64 -d > file.txt