Loading...

Managing Encryption Keys with AWS KMS and Boto3 | CodeSignal Learn

Introduction

Welcome to another exciting lesson of our course - Mastering Cloud Engineering with AWS and Python. Today, we delve into managing encryption keys with the AWS Key Management Service (AWS KMS). In previous lessons, we covered securing AWS resources and managing secrets using AWS Secrets Manager and AWS SSM Parameter Store. Now, we will extend that knowledge by learning how to create, control, and use AWS KMS keys and how to encrypt and decrypt data using AWS KMS.

Understanding AWS KMS

The AWS Key Management Service (AWS KMS) is a managed service that helps you create and manage cryptographic keys for data protection. It supports various key types, including:

AWS KMS keys: AWS KMS keys are the core resources in AWS KMS, used to encrypt up to 4 KB of data directly and manage other cryptographic operations. There are two types of AWS KMS keys:
- AWS Managed KMS Keys: Automatically created and managed by AWS for specific integrated services. These keys are used for default service encryption and are managed by AWS, including their lifecycle operations like rotation.
- Customer Managed KMS Keys: Created and managed by you, offering more control, including policy management, key rotation, and auditing. Unlike AWS managed KMS keys, these incur usage charges.
Data Keys: Generated by AWS KMS and used to encrypt your data outside of KMS. Data keys are encrypted under an AWS KMS key and can be decrypted to plaintext only when needed, ensuring secure data handling practices.
Asymmetric Keys and Key Pairs: For operations requiring separate keys for encryption and decryption or digital signing, AWS KMS supports asymmetric KMS keys, generating a public and a private key pair. The private key remains secure within KMS while the public key can be used externally.

AWS KMS is designed for security, meeting compliance requirements with its hardware security modules (HSMs) that are FIPS 140-2 validated, making it suitable for managing sensitive data across AWS services. To learn more, refer to the .

Join the 1M+ learners on CodeSignal

Be a part of our community of 1M+ users who develop and demonstrate their skills on CodeSignal

AWS KMS Keys vs Data Keys: A Document Storage Example

To grasp the distinction and practical use of AWS KMS keys and data keys in AWS Key Management Service (AWS KMS), consider a secure document storage service. This service allows users to securely store and access confidential documents in the cloud, highlighting the necessity for both AWS KMS keys and data keys.

Use of AWS KMS Keys:
- Central Management and Policy Control: AWS KMS keys serve as the foundation of the encryption strategy, enabling centralized control over encryption policies. For example, specific policies can restrict encryption and key generation activities to certain application components or users, reinforcing security and access control.
- Audit and Compliance: The ability to audit the use of AWS KMS keys through AWS CloudTrail helps meet compliance requirements. These logs provide valuable insights into when and by whom the AWS KMS keys were accessed, which is crucial for security audits.
Use of Data Keys:
- Efficient Document Encryption: Given the direct encryption with AWS KMS keys in AWS KMS is not suited for large volumes of data due to size and cost constraints, data keys are generated to encrypt the actual documents. Each uploaded document triggers the generation of a unique data key, enhancing efficiency and scalability.
- Document Encryption Process: When a document is uploaded, the application utilizes an AWS KMS key to generate a data key in two forms: a plaintext version for immediate encryption of the document, and an encrypted version stored alongside the encrypted document. This ensures that the encryption process is both secure and efficient.
- Secure Access and Sharing: To access a document, the encrypted data key is decrypted using the AWS KMS key into plaintext, then used to decrypt the document. This process allows for secure and scalable document access, with each document encrypted under a unique key, significantly minimizing the risk of a security breach.

This example illustrates how AWS KMS keys and data keys complement each other within a secure encryption strategy. AWS KMS keys facilitate the high-level management and policy enforcement, making them the backbone of the encryption architecture. In contrast, data keys, generated for specific encryption tasks, offer the flexibility and efficiency needed for encrypting large amounts of data. Together, they enable a secure, scalable, and compliant document storage service.

Creating an AWS KMS Key in AWS KMS

AWS KMS keys are primary resources in AWS KMS; they are used to encrypt and decrypt up to 4 KB of data. Essentially, you interact with an AWS KMS key when you encrypt or decrypt data. In creating an AWS KMS key, we specify certain parameters like Description, KeyUsage, and Origin, which customize the key's creation and its usability in AWS. Let's create an AWS KMS key:

KeyUsage Parameter: The KeyUsage parameter determines how the AWS KMS key will be used. The allowed values are:
- ENCRYPT_DECRYPT: The AWS KMS key can be used for both encryption and decryption operations.
- SIGN_VERIFY: The AWS KMS key is used for digital signing operations or to verify digital signatures, rather than encryption or decryption.
- GENERATE_VERIFY_MAC: The AWS KMS key is used to generate and verify message authentication codes (MACs), providing data integrity and authenticity.
- GENERATE_KEY_PAIR: The AWS KMS key is used to generate key pairs, typically for asymmetric cryptographic operations.
Origin Parameter: The Origin parameter defines the source of the key material for the AWS KMS key. Possible values are:
- AWS_KMS: Key material is generated and managed within AWS KMS.
- EXTERNAL: Key material is generated outside of AWS KMS and imported. This option allows you to use your key material in AWS KMS operations but keep it in a hardware security module (HSM) that you control.
- AWS_CLOUDHSM: Key material is generated and managed in AWS CloudHSM but used within AWS KMS. This combines the integration and ease-of-use features of AWS KMS with the control and security of AWS CloudHSM.
- EXTERNAL_KEY_STORE: Key material is generated and managed in an external key store but used within AWS KMS. This allows for tighter control and compliance by integrating with an organization's existing key management infrastructure.

The KeyUsage and Origin parameters together determine the capabilities and properties of your AWS KMS key. By understanding and configuring these parameters, you can tailor your AWS KMS key to suit your specific security and operational requirements.