Encrypt in AWS using the Key Management Service (KMS)

The AWS Key Management Service (KMS) allows you to create and manage cryptographic keys that you can use across a wide range of services in Amazon's cloud and your applications. We will walk through an example of encrypting your files in S3 by using KMS.

Contents

How secure are KMS keys?
The AWS KMS service console
- KMS managed master keys
- Customer managed master keys
Creating a customer managed key and encrypting the S3 bucket
KMS API logging with CloudTrail
Conclusion

Author
Recent Posts

Graham Beer

Graham is an experienced system engineer with a passion for PowerShell and automation. You can follow his blog or reach him on Twitter at @GKBeer.

How secure are KMS keys?

AWS KMS is a fully managed service and will ensure the security of your keys. AWS provides server-side encryption of your data. When you send unencrypted, raw data to AWS, the AWS infrastructure will encrypt this data and then store it to disk. When you need to retrieve the data, AWS will read and decrypt it before sending it back to you. As the user of AWS, you do not see this process happening; it all happens under the hood.

To further keep your data secure, AWS makes use of a concept called envelope encryption. Your data is encrypted with the KMS key, but what about the key itself? Envelope encryption is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key. This other key is known as the master key. AWS helps protect the master key by storing and managing it securely.

The AWS KMS service console

The KMS console provides a single point for managing your keys and defining polices to use with the respective AWS services. When you go to the KMS landing page in AWS, you will see the screen below:

AWS Key Management Service console

To the left of the screen, you can choose which type of key to view: KMS managed keys or customer managed keys. These are the two ways to manage keys in your account. What does each option provide?

KMS managed master keys

Individual AWS services request KMS to create a master key for their use only.
Each service defines a standard key policy.
You can't edit the policy or remove the keys.

Customer managed master keys

You control the key lifecycle.
You create the keys in advance and delete when you are done.
You decide which service to use with the key.
You define the key policy for each key.

The Alias column appears in the center of the console. The Alias is a user-friendly name by which to identify your custom keys. The key ID is automatically generated on when the key is created.

Creating a customer managed key and encrypting the S3 bucket

We have gone over the theory of KMS; now is a good time to look at a working example. We will be creating a customer managed key, or CMK, and setting up a bucket for encryption.

To start, let's create a customer key. We will be doing this through the console, but it is also possible to create it through the AWS CLI or the SDK. Navigate to the KMS landing page and select Customer managed keys. Choose Create key. Leave the default settings and click Next.

Configuring the key through the AWS console

Add a user-friendly name for your key in the Alias field. Adding a description is optional.

Naming and adding a description

You are required to give an IAM user administrative permissions to the key. This will be the user who will own and manage the key.

Defining your administrator for the key

Assign a user or role that will be able to use the keys to encrypt the data.

Defining the user or role for the key

Review and edit the key policy. A JSON policy will display all the details assigned to the key.

Review the CMK policy assigned to key

Now that we have created our CMK key, we can use it to encrypt our data.

The new CMK key from the console

We are ready to create an S3 bucket and configure encryption with the newly created key.

Navigate across to S3 and create a new bucket.
On the second option of creating a bucket, enable the Default encryption option.
Toggle from AES-256 encryption to AWS-KMS. You will be required to select a KMS key, so add the newly created key.
Move to the end of the creation process and click Create.

Adding CMK to the S3 bucket

This is all that is required to encrypt an S3 bucket with KMS keys. Now a user who tries to download content from the bucket but who doesn't have permissions to use the CMK key will not be able to download or view any files.

KMS API logging with CloudTrail

AWS CloudTrail is a web service that records activity occurring on your account and logs it to either the S3 or the CloudWatch logs. CloudTrail can capture all API calls made to AWS KMS. The calls to the API are logged as events. Any calls made from the console, KMS APIs, the AWS CLI, and SDKs will be recorded in CloudTrail, which adds an extra layer of security to auditing your KMS keys.

CloudTrail will log successful operations as well as any calls made that have failed. When viewing the events, some fields are not displayed for security reasons.

Subscribe to 4sysops newsletter!

Conclusion

Using KMS keys in your AWS services is a simple solution to implement and adds an extra layer of security to your data. Security and quality controls in AWS KMS have been validated and certified by many compliance protocols, such as FIPS 140-2 and HIPAA. KMS can integrate into over 60 services in AWS for use by developers from the SDK. With little effort, you can secure your AWS services, so I would highly recommend looking into AWS KMS.