Open in app

Sign in

Write

Sign in

AWS KMS & Cloud HSM

Chloe McAree
2 min readFeb 22, 2021

This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.

Key Management Service (KMS) Summary

KMS Logo — https://bit.ly/3av1eyN
  • KMS is a managed service that allows you to create and control encryption keys (Customer Master Keys).
  • Can integrate with most other AWS services to increase security and make it easier to encrypt your data.
  • Allows you to control access to the keys using things like IAM policies or key policies.
  • Provides you with a central place to manage all keys.
  • Encrypt/decrypt up to 4KB.
  • Pay per API call.
  • Validated under FIPS 140–2 (Level 2 ) security standard.

Types of Customer Master Keys (CMKs)

  1. Customer Managed CMKs → Keys that you have created in AWS, that you own and manage. You are responsible for managing their key policies, rotating them and enabling/disabling them.
  2. AWS Managed CMKs → These are free and are created by an AWS service on your behalf and are managed for you. However, only that service can use them.
  3. AWS Owned CMKs → owned and managed by AWS and shared across many accounts.

Symmetric CMKs

  • With symmetric keys, the same key is used to encrypt and decrypt
  • The key never leaves AWS unencrypted
  • Must call the KMS API to use a symmetric key
  • The AWS services that integrate with KMS use symmetric CMKs

Asymmetric CMKs

  • Asymmetric keys are mathematically related public and private key pairs.
  • The private key never leaves AWS unencrypted.
  • You can call the KMS API with the public key, which can be downloaded and used outside of AWS.
  • AWS services that integrate with KMS DO NOT support asymmetric keys.

Cloud Hardware Security Module (HSM) Summary

  • Dedicated cloud-based hardware security module for creating, using and managing your own encryption keys in AWS.
  • Conforms to FIPS 140–2 (level 3) security standard
  • No access to the AWS managed component and AWS does not have visibility or access to your keys.
  • Works with industry standard APIs, there are no AWS APIs for HSM
  • CloudHSM runs within a VPC in your account
  • Keys are irretrievable if lost and can not be recovered.
AWS
Aws Certification
Aws Solutions Architect
Aws Kms
Aws Security

--

--

Chloe McAree

Written by Chloe McAree

524 Followers

Senior Software Engineer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams