Wednesday, December 28, 2022

KMS


KMS keys Documentation 


  •  AWS KMS replaced the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term.

Managing keys  - creating a KMS key
  • symmetric encryption KMS keys - "When you create an AWS KMS key, by default, you get a KMS key for symmetric encryption. This is the basic and most commonly used type of KMS key." 
  • asymmetric KMS keys - encryption or signing, as well as generate and validate HMAC tags using HMAC KMS keys
  • A logical representation of a cryptographic key is an AWS KMS key. 
  • Metadata of a KMS key includes 
    • the key ID
    • key specification
    • key use
    • creation date
    • description
    • key status
  • Most crucially, it includes a reference to the key material used when performing cryptographic operations with the KMS key.
  • Symmetric KMS keys and asymmetric KMS private keys are never left unprotected in AWS KMS. 
  • We must utilize AWS KMS to use or manage the KMS keys.
  • AWS KMS generates the key material for a KMS key by default. 
  • We are unable to extract, export, see, or handle this critical material. 
  • The public key of an asymmetric key pair is the lone exception, which we may export for usage outside of AWS.

More on keys:

The KMS keys that you create customer managed keys

The KMS keys that AWS services create in your AWS account are AWS Managed keys  

- You don't have to create or maintain the key or its key policy, and there's never a monthly fee for an AWS managed key.

- view the aws managed key 

- view the  key policies

- audit the keys use in AWS CloudTrail logs

-AWS managed keys appear on the AWS managed keys page of the AWS Management Console for AWS KMS. 

-You can also identify AWS managed keys by their aliases, which have the format aws/service-name

What is AWS CloudFormation? - AWS CloudFormation (amazon.com)

CloudFormation AWS KMS Key: Explained 

AWS KMS CloudFormation resources are accessible in all Regions that support AWS KMS and AWS CloudFormation. 

We may make advantage of AWS: KMS:: Key resource for creating and managing all KMS key types supported in a Region


Creating a key policy - AWS Key Management Service (amazon.com)


aws-kms-developer-guide/creating-resources-with-cloudformation.md at master · awsdocs/aws-kms-developer-guide · GitHub



AES - advanced encryption standard
CMK - customer master key
- asymetric - has public (encrpyt data) and private key (decrypt data) and must be used together 
- symetric - same key used for encryption and decryption
Customer manages or aws managed keys

KMS Access management : Control access using different AWS approaches including 
  • key policy (policy attached to key)
  •  iam policy (policy attached to principal user/role), 
  • grants [link] (attached programmatically)

KMS policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html)

  • administrator - admin actions ... add/enable etc a key
  • user - crypt actions... crypt/decypt etc

principal  who can perform actions is either an  iam user, iam role, root user

KMS requires policy for each customer managed key

can view key policy among other things for a key

Statement Id (SID) : Enable IAM User Permissions
- indicates explicitly that the root user  (or specific user) of this account is allowed which actions on specified resources. By specifying this root user here, allows to  enableIAM policy for all users in this account
. without this statement root user does not have access to key
Statement Id (SID) :  Allow access for key Administrators  
-for an administrator, allows for the administration actions of the key

Statement Id (SID) :  Allow use of the key 
- for a user, allow for cryptographic actions for the key

Statement Id (SID) :  Allow attachment of persistent resources
- for grants, manage who can do what action


Posted by at No comments:
Subscribe to: Posts (Atom)