Thousands of organizations use Amazon Web Services (AWS) to host their applications and manage their data in the cloud. The advantage of geographic availability, scalability and reliability make AWS a great choice.
Due to recent and more frequently-occurring breaches in security in a number of environments, It is necessary for us to take data protection strategy seriously.
We all can agree that Information security is always of paramount importance, whether data is stored on-premises or in the cloud.
In this article we will go through AWS KMS and how to use KMS in our existing AWS account.
AWS KEY MANAGEMENT SERVICE
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for us to create, control, rotate, and use encryption keys.
It also centralizes key management, with one dashboard that offers creation, rotation, and lifecycle management functions.
AWS KMS Concept
1. Customer Master Key
Customer Master Keys (CMKs) or Master Encryption Key(MEK) are used to generate, encrypt, and decrypt the data keys(DK) that you use outside of AWS KMS to encrypt your data. This strategy is known as envelope encryption. CMKs are created in AWS KMS and never leave AWS KMS unencrypted. They can only be accessed through AWS KMS.
The master keys are protected by FIPS 140-2 validated cryptographic modules.
2. Data Keys
Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.
You can use AWS KMS customer master keys (CMKs) to generate, encrypt, and decrypt data keys.
3. Encrypting Data
1. First of all a Customer Master Key is created in KMS console.
2. Then to create a data key, AWS KMS uses the CMK to generate a data key. The operation returns a plaintext copy of the data key and a copy of the data key encrypted under the CMK.
4. Decrypting Data
1. To decrypt your data, pass the encrypted data key to the Decrypt operation.
3. Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible.
5. Envelope Encryption
Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. AWS KMS uses MEK to encrypt the Data Key(DEK).
We will be Creating a Customer Master Key in AWS-KMS console and will try to upload file on S3 Using KMS Master-Key Encryption. Then try to access the encrypted file.
Step-1: Creating Master Key in AWS-KMS
1. First of all login to AWS Management console and then go to IAM Dashboard and select Encryption Keys, this will open AWS-KMS console.
2. In AWS KMS console select the Region and click on Create Key.
3. Create an Alias for KMS Master Key and add a meaningful tag.
4. Define Key Administrative and Usage Permissions.
5. Review the Policy and click on create.
6. You can see in the KMS console a new Master Key is created.
Step-2: Create a Bucket in S3
1. Go to S3 console in AWS and click on create a Bucket.
2. Specify the Bucket name and Region and click on create.
3. Once the bucket is created try to upload some data in next step.
Step-3: Upload data to Bucket created in S3
1. Click on Upload to upload file in S3 bucket created in previous step.
2. Select the file and in the next step, define who can access the bucket and access permissions.
3. In the next step choose the storage class and Encryption method.
4. In Encryption method select Encryption using AWS KMS master-key, and select the Master-Key generated in the earlier step for data encryption.
5. Review and click on Upload. Once uploaded verify the object properties.
6. Now try to access the uploaded data by clicking on download. You will see that you are able to download the file without any issue.
Step-4:Disable the Master key
1. Now let's disable the Master Key from KMS console and check again.
2. Now try again to access the uploaded file in S3 after disabling the MK.
Step-4:Enable the Master key
1. To enable the Master Key again go to KMS console and enable the MK.
Step-5: Try to access the S3 object with different IAM user.
1. Try to access the S3 bucket uploaded file with a different IAM user who does not have Usage access to KMS Master Key.
What's Happening Behind the Scene
1. Encryption Using KMS Customer Master Key
2. Decryption Using KMS Customer Master Key
KMS is a fully managed service because it automatically handles all of the availability, scalability, physical security, and hardware maintenance for the underlying Key Management Infrastructure (KMI).
With no up-front cost and usage-based pricing that starts at $1 per Customer.
Master Key (CMK) per month, KMS makes it easy for us to encrypt data stored in S3, EBS, RDS, Redshift, and any other AWS service that’s integrated with KMS.