Amazon Web Services KMS Basics, The only guide you need!

I recently did my first post in a while, based on AWS security, Identity and Access management concepts. You can read it here https://medium.com/bugbountywriteup/amazon-web-services-iam-basics-the-only-guide-you-need-ad2697b6a38e . I seemed to have some good initially and feedback so far, it was also featured over at Infosec-Writeups run by Sai Krishna Kothapalli. To that end I thought I would continue with some core key concepts of AWS.

This topic will focus on AWS Key Management System (KMS).

What is this ? [overview]

AWS Key Managment System:-

• Makes it easier for you to create and manage cryptographic keys. [These essentially protect your DATA!]
• Secure, resilient and possesses a good reputation. [Compliance tested and graded]
• Integrated with AWS CloudTrail and uses IAM for access control.
• KMS keys are tied to Regions.

With that in mind, what are the features?

• AWS KMS provides you with centralized control over the lifecycle and permissions of your keys. You can create new keys whenever you wish, and you can control who can manage keys versus who can use them.
• AWS is not the only compatible key managment service that can be linked up to AWS. You can import keys
• KMS stores Customer Master Keys(CMK) which is a logical representation of a key.
• CMK never leaves KMS and never leaves a region

How KMS Encrypt Data

• We start with the plain text and then uses data keys along with an algorithm and come up with encrypted data.
• Encrypted data is finally stored in a storage that can be anything(eg:EBS, EFS, S3…)
• KMS then took data key, Encrypt it with a master key along with an encryption algorithm, resulted in it an encrypted data key, that stored alongside with data.

AWS Console: Go to AWS Console → Security, Identity, & Compliance → Key Management Service → Create a key