AWS KMS & Cloud HSM
This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.
Key Management Service (KMS) Summary
- KMS is a managed service that allows you to create and control encryption keys (Customer Master Keys).
- Can integrate with most other AWS services to increase security and make it easier to encrypt your data.
- Allows you to control access to the keys using things like IAM policies or key policies.
- Provides you with a central place to manage all keys.
- Encrypt/decrypt up to 4KB.
- Pay per API call.
- Validated under FIPS 140–2 (Level 2 ) security standard.
Types of Customer Master Keys (CMKs)
- Customer Managed CMKs → Keys that you have created in AWS, that you own and manage. You are responsible for managing their key policies, rotating them and enabling/disabling them.
- AWS Managed CMKs → These are free and are created by an AWS service on your behalf and are managed for you. However, only that service can use them.
- AWS Owned CMKs → owned and managed by AWS and shared across many accounts.
- With symmetric keys, the same key is used to encrypt and decrypt
- The key never leaves AWS unencrypted
- Must call the KMS API to use a symmetric key
- The AWS services that integrate with KMS use symmetric CMKs
- Asymmetric keys are mathematically related public and private key pairs.
- The private key never leaves AWS unencrypted.
- You can call the KMS API with the public key, which can be downloaded and used outside of AWS.
- AWS services that integrate with KMS DO NOT support asymmetric keys.
Cloud Hardware Security Module (HSM) Summary
- Dedicated cloud-based hardware security module for creating, using and managing your own encryption keys in AWS.
- Conforms to FIPS 140–2 (level 3) security standard
- No access to the AWS managed component and AWS does not have visibility or access to your keys.
- Works with industry standard APIs, there are no AWS APIs for HSM
- CloudHSM runs within a VPC in your account
- Keys are irretrievable if lost and can not be recovered.