Unlock Your Data Security with AWS KMS - The Key to Protect Your Sensitive Information
Anytime you here about "encryption" for AWS service, it's most likely AWS KMS.Its an easy way to control access to your data as AWS manages the keys for us. KMS is fully integrated with IAM for authorisation and it seamlessly integrates with AWS EBS,S3,SSM,RDS etc...
Types of KMS:-
Symmetric :- A single key is used to Encrypt and Decrypt. AWS services which are integrated with KMS uses Symmetric KMS keys and you can never get access to KMS key unencrypted.
Asymmetric :- Public+Private key pair for encryption and decryption.Here, the public key is downloadable, but you cannot access the private key.
According to usage :-
Customer Managed Keys :- Create, manage and use, can enable or disable all of it is done by the customer and their is also key rotation in this. you can view Key Policy & audit in CloudTrail.
AWS Managed Keys :- Used by AWS service, managed by AWS and it is rotated in every 1 year. You can view Key Policy & audit in CloudTrail.
AWS Owned Keys :- Created and managed by AWS, use by some AWS services to protect your resources it is used in multiple AWS accounts, but they are not in your AWS account you can’t view, use, track or audit.
KMS Key Material Origin
Identifies the source of the key material and it can't be changed after creation.
KMS (AWS_KMS) :- creates and manages the key material in its own key store.
External (EXTERNAL) :- You import the key material into the KMS key . You’re responsible for securing and managing this key material outside of AWS.
Custom Key Store (AWS_CLOUDHSM) :- Here, HSM stands for Hardware Security Module. AWS KMS creates the key material in a custom key store.
KMS Multi-Region Keys
It is a set of identical keys in different AWS regions that can be used interchangeably these keys have same key ID, key material, automatic rotation.
KMS keys are not global they are combination of Primary + Replicas
These keys are managed independently.
Usage :-
Disaster Recovery
Global Data Management
Distributed Signing App.
Applications that are spanned across multiple regions
etc.