AWS KMS and AWS CloudHSM

AWS KMS

AWS Key Management Service (KMS) is a managed service that enables you to easily encrypt your data.

AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.

AWS KMS allows you to centrally manage and securely store your keys. These are known as customer master keys or CMKs.

Customer Master Keys (CMK’s)

A Customer Master Key (CMK) consists of:

  • Alias.
  • Creation date.
  • Description.
  • Key state.
  • Key material (either customer provided or AWS provided).

Customer master keys are the primary resources in AWS KMS.

The CMK includes metadata, such as the key ID, creation date, description, and key state.

The CMK also contains the key material used to encrypt and decrypt data.

AWS KMS supports symmetric and asymmetric CMKs.

CMKs are created in AWS KMS. Symmetric CMKs and the private keys of asymmetric CMKs never leave AWS KMS unencrypted.

By default, AWS KMS creates the key material for a CMK.

A CMK can encrypt data up to 4KB in size.

A CMK can generate, encrypt and decrypt Data Encryption Keys (DEKs).

A CMK can never be exported from KMS (CloudHSM allows this).

AWS Managed CMKs:

  • CMKs managed by AWS are used by AWS services that interact with KMS to encrypt data.
  • They can only be used by the service that created them within a particular region.
  • They are created on the first time you implement encryption using that service.

Customer managed CMKs:

  • These provide the ability to implement greater flexibility.
  • You can perform rotation, governing access and key policy configuration.
  • You are able to enable and disable the key when it is no longer required.

AWS KMS CMKs

Customer Managed CMK’s

Customer managed CMKs are CMKs in your AWS account that you create, own, and manage.

You have full control over these CMKs, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the CMK, and scheduling the CMKs for deletion.

Customer managed CMKs incur a monthly fee and a fee for use in excess of the free tier.

AWS Managed CMK’s

AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS.

You cannot manage these CMKs, rotate them, or change their key policies.

You also cannot use AWS managed CMKs in cryptographic operations directly; the service that creates them uses them on your behalf.

You do not pay a monthly fee for AWS managed CMKs. They can be subject to fees for use in excess of the free tier, but some AWS services cover these costs for you.

AWS Owned CMK’s

AWS owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts.

Although AWS owned CMKs are not in your AWS account, an AWS service can use its AWS owned CMKs to protect the resources in your account.

You do not need to create or manage the AWS owned CMKs.

However, you cannot view, use, track, or audit them.

You are not charged a monthly fee or usage fee for AWS owned CMKs and they do not count against the AWS KMS quotas for your account.

Data Encryption Keys

Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.

You can use AWS KMS customer master keys (CMKs) to generate, encrypt, and decrypt data keys.

AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.

You must use and manage data keys outside of AWS KMS.

The GenerateDataKey API can be used to create a data encryption key using a CMK:

Amazon KMS data encryption keys

KMS Details

You set usage policies on the keys that determine which users can use them to encrypt and decrypt data and under which conditions.

Key material options:

  • KMS generated.
  • Import your own.

You can generate CMKs in KMS, in an AWS CloudHSM cluster, or import them from your own key management infrastructure.

These master keys are protected by hardware security modules (HSMs) and are only ever used within those modules.

You can submit data directly to KMS to be encrypted or decrypted using these master keys.

KMS now has the option for symmetric and asymmetric keys.

KMS is for encryption at rest only (not in transit, use SSL).

KMS is tightly integrated into many AWS services like Lambda, S3, EBS, EFS, DynamoDB, SQS etc.

Data keys are not retained or managed by KMS.

AWS services encrypt your data and store an encrypted copy of the data key along with the data it protects.

When a service needs to decrypt your data they request KMS to decrypt the data key using your master key.

If the user requesting data from the AWS service is authorized to decrypt under your master key policy, the service will receive the decrypted data key from KMS with which it can decrypt your data and return it in plaintext.

All requests to use your master keys are logged in AWS CloudTrail so you can understand who used which key under which context and when they used it.

You can control who manages and accesses keys via IAM users and roles.

You can audit the use of keys via CloudTrail.

KMS differs from Secrets Manager as its purpose-built for encryption key management.

KMS is validated by many compliance schemes (e.g. PCI DSS Level 1, FIPS 140-2 Level 2).

Exam tip: Encryption keys are regional.

Key Management with KMS

You can perform the following key management functions in AWS KMS:

  • Create keys with a unique alias and description.
  • Import your own key material.
  • Define which IAM users and roles can manage keys.
  • Define which IAM users and roles can use keys to encrypt and decrypt data.
  • Choose to have AWS KMS automatically rotate your keys on an annual basis.
  • Temporarily disable keys so they cannot be used by anyone.
  • Re-enable disabled keys.
  • Delete keys that you no longer use.
  • Audit use of keys by inspecting logs in AWS CloudTrail.
  • Create custom key stores*.
  • Connect and disconnect custom key stores*.
  • Delete custom key stores*.

* The use of custom key stores requires CloudHSM resources to be available in your account.

Data Encryption Scenarios

Typically, data is encrypted in one of the following three scenarios:

  1. You can use KMS APIs directly to encrypt and decrypt data using your master keys stored in KMS.
  2. You can choose to have AWS services encrypt your data using your master keys stored in KMS. In this case data is encrypted using data keys that are protected by your master keys in KMS.
  3. You can use the AWS Encryption SDK that is integrated with AWS KMS to perform encryption within your own applications, whether they operate in AWS or not.

Custom Key Store

The AWS KMS custom key store feature combines the controls provided by AWS CloudHSM with the integration and ease of use of AWS KMS.

You can configure your own CloudHSM cluster and authorize KMS to use it as a dedicated key store for your keys rather than the default KMS key store.

When you create keys in KMS you can chose to generate the key material in your CloudHSM cluster. Master keys that are generated in your custom key store never leave the HSMs in the CloudHSM cluster in plaintext and all KMS operations that use those keys are only performed in your HSMs.

In all other respects master keys stored in your custom key store are consistent with other KMS CMKs.

Key deletion

You can schedule a customer master key and associated metadata that you created in AWS KMS for deletion, with a configurable waiting period from 7 to 30 days.

This waiting period allows you to verify the impact of deleting a key on your applications and users that depend on it.

The default waiting period is 30 days.

You can cancel key deletion during the waiting period.

AWS KMS API’s

The following APIs are useful to know for the exam:

Encrypt (aws kms encrypt):

  • Encrypts  plaintext  into  ciphertext  by  using  a customer master key (CMK).
  • You can encrypt small amounts of arbitrary data, such as  a  personal identifier or database password, or other sensitive information.
  • You can use the Encrypt operation to move encrypted data from one AWS region to another.

Decrypt (aws kms decrypt):

  • Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) using any of the following operations:
    • Encrypt
    • GenerateDataKey
    • GenerateDataKeyPair
    • GenerateDataKeyWithoutPlaintext
    • GenerateDataKeyPairWithoutPlaintext

Re-encrypt (aws kms re-encrypt):

  • Decrypts ciphertext and then re-encrypts it entirely within AWS KMS.
  • You can use this operation to change the customer master  key  (CMK)  under which  data  is  encrypted,  such  as when you manually rotate a CMK or change the CMK that protects a ciphertext. 
  • You can also use it to re-encrypt  ciphertext  under the same CMK, such as to change the encryption context of a ciphertext.

Enable-key-rotation:

  • Enables  automatic  rotation of the key material for the specified symmetric customer master key (CMK).
  • You cannot perform this operation  on a CMK in a different AWS account.

GenerateDataKey (aws kms generate-data-key):

  • Enables  automatic  rotation of the key material for the specified symmetric customer master key (CMK).
  • You cannot perform this operation  on a CMK in a different AWS account.

GenerateDataKeyWithoutPlaintext (generate-data-key-without-plaintext):

  • Generates  a  unique  symmetric data key.
  • This operation returns a data key that is encrypted under a customer master key (CMK) that you  specify.
  • To request an asymmetric data key pair, use the  GenerateDataKeyPair or  GenerateDataKeyPairWithoutPlaintext operations.

KMS Envelope Encryption

AWS KMS is integrated with AWS services and client-side toolkits that use a method known as envelope encryption to encrypt your data.

Under this method, KMS generates data keys which are used to encrypt data and are themselves encrypted using your master keys in KMS:

  • A CMK is used to encrypt the data key (envelope key).
  • The envelope key is used to decrypt the data.

AWS CloudHSM

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.

With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.

CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.

CloudHSM is standards-compliant and enables you to export all of your keys to most other commercially-available HSMs, subject to your configurations.

It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups.

CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.

CloudHSM runs in your VPC.

The following table helps to understand the key differences between AWS CloudHSM and AWS KMS:

AWS CloudHSM vs AWS KMS

Scroll to Top