Podcast
Questions and Answers
Which of the following is NOT a characteristic of an AWS KMS key?
Which of the following is NOT a characteristic of an AWS KMS key?
What type of KMS key is managed by AWS and cannot be rotated or have its key policies changed by the user?
What type of KMS key is managed by AWS and cannot be rotated or have its key policies changed by the user?
What is the maximum data size that a KMS key can encrypt?
What is the maximum data size that a KMS key can encrypt?
Which of the following is a valid way to manage a Customer Managed KMS key?
Which of the following is a valid way to manage a Customer Managed KMS key?
Signup and view all the answers
What is the primary difference between Symmetric and Asymmetric KMS keys?
What is the primary difference between Symmetric and Asymmetric KMS keys?
Signup and view all the answers
Which of the following is NOT a benefit of using AWS KMS?
Which of the following is NOT a benefit of using AWS KMS?
Signup and view all the answers
What happens to a Customer Managed KMS key when the AWS account it's associated with is deleted?
What happens to a Customer Managed KMS key when the AWS account it's associated with is deleted?
Signup and view all the answers
Which of the following statements accurately describes the role of Data Encryption Keys (DEKs) in KMS?
Which of the following statements accurately describes the role of Data Encryption Keys (DEKs) in KMS?
Signup and view all the answers
What is the maximum number of KMS keys you can create per account per region?
What is the maximum number of KMS keys you can create per account per region?
Signup and view all the answers
What is the default waiting period for deleting a KMS key?
What is the default waiting period for deleting a KMS key?
Signup and view all the answers
What is the purpose of the 'aws kms encrypt' API?
What is the purpose of the 'aws kms encrypt' API?
Signup and view all the answers
Which of these is NOT an AWS KMS API mentioned in the content?
Which of these is NOT an AWS KMS API mentioned in the content?
Signup and view all the answers
What method does AWS KMS use to encrypt data in AWS services and client-side toolkits?
What method does AWS KMS use to encrypt data in AWS services and client-side toolkits?
Signup and view all the answers
What is the purpose of the 'aws kms generate-data-key-without-plaintext' API?
What is the purpose of the 'aws kms generate-data-key-without-plaintext' API?
Signup and view all the answers
What is the primary limitation of AWS managed KMS keys regarding their usage?
What is the primary limitation of AWS managed KMS keys regarding their usage?
Signup and view all the answers
What is a unique characteristic of AWS owned KMS keys?
What is a unique characteristic of AWS owned KMS keys?
Signup and view all the answers
How does AWS KMS handle data encryption keys?
How does AWS KMS handle data encryption keys?
Signup and view all the answers
What is the purpose of the GenerateDataKey API in AWS KMS?
What is the purpose of the GenerateDataKey API in AWS KMS?
Signup and view all the answers
What best defines a custom key store in AWS KMS?
What best defines a custom key store in AWS KMS?
Signup and view all the answers
What happens to requests made for decrypting data keys under KMS?
What happens to requests made for decrypting data keys under KMS?
Signup and view all the answers
Which of the following is not a function of AWS KMS?
Which of the following is not a function of AWS KMS?
Signup and view all the answers
What is a key management function that KMS supports?
What is a key management function that KMS supports?
Signup and view all the answers
Why are AWS KMS keys regional?
Why are AWS KMS keys regional?
Signup and view all the answers
Which statement about data keys generated by AWS KMS is correct?
Which statement about data keys generated by AWS KMS is correct?
Signup and view all the answers
What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?
What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?
Signup and view all the answers
What is the purpose of GenerateDataKeyWithoutPlaintext API in AWS KMS?
What is the purpose of GenerateDataKeyWithoutPlaintext API in AWS KMS?
Signup and view all the answers
What is the maximum number of master keys that can be created per account per region in AWS KMS?
What is the maximum number of master keys that can be created per account per region in AWS KMS?
Signup and view all the answers
What is the purpose of Enable-key-rotation API in AWS KMS?
What is the purpose of Enable-key-rotation API in AWS KMS?
Signup and view all the answers
What is the method used by AWS KMS to encrypt data in AWS services and client-side toolkits?
What is the method used by AWS KMS to encrypt data in AWS services and client-side toolkits?
Signup and view all the answers
What happens to a scheduled key deletion in AWS KMS during the waiting period?
What happens to a scheduled key deletion in AWS KMS during the waiting period?
Signup and view all the answers
What can be done with a Customer Managed KMS key?
What can be done with a Customer Managed KMS key?
Signup and view all the answers
Which statement accurately describes the key material of a KMS key?
Which statement accurately describes the key material of a KMS key?
Signup and view all the answers
Which of the following is a limitation of AWS KMS regarding KMS keys?
Which of the following is a limitation of AWS KMS regarding KMS keys?
Signup and view all the answers
What is true about the permissions associated with Customer Managed KMS keys?
What is true about the permissions associated with Customer Managed KMS keys?
Signup and view all the answers
What distinguishes AWS Managed KMS keys from Customer Managed KMS keys?
What distinguishes AWS Managed KMS keys from Customer Managed KMS keys?
Signup and view all the answers
Which statement is NOT true regarding AWS KMS keys?
Which statement is NOT true regarding AWS KMS keys?
Signup and view all the answers
What are KMS keys primarily used for within AWS KMS?
What are KMS keys primarily used for within AWS KMS?
Signup and view all the answers
How does AWS KMS handle the exporting of KMS keys?
How does AWS KMS handle the exporting of KMS keys?
Signup and view all the answers
What governs the use and access of AWS KMS keys?
What governs the use and access of AWS KMS keys?
Signup and view all the answers
Which statement about AWS owned KMS keys is accurate?
Which statement about AWS owned KMS keys is accurate?
Signup and view all the answers
What happens to Data Encryption Keys (DEKs) managed by AWS KMS?
What happens to Data Encryption Keys (DEKs) managed by AWS KMS?
Signup and view all the answers
For which scenario is a Custom Key Store in AWS KMS specifically designed?
For which scenario is a Custom Key Store in AWS KMS specifically designed?
Signup and view all the answers
Which statement correctly describes the fees associated with AWS managed KMS keys?
Which statement correctly describes the fees associated with AWS managed KMS keys?
Signup and view all the answers
How are requests to use master keys logged in AWS KMS?
How are requests to use master keys logged in AWS KMS?
Signup and view all the answers
In what context can AWS KMS keys not be used directly by users?
In what context can AWS KMS keys not be used directly by users?
Signup and view all the answers
What does the GenerateDataKey API do in AWS KMS?
What does the GenerateDataKey API do in AWS KMS?
Signup and view all the answers
Which type of keys requires you to have CloudHSM resources to use custom key stores?
Which type of keys requires you to have CloudHSM resources to use custom key stores?
Signup and view all the answers
What is a unique feature of KMS compared to AWS Secrets Manager?
What is a unique feature of KMS compared to AWS Secrets Manager?
Signup and view all the answers
What is the purpose of scheduling a customer master key for deletion?
What is the purpose of scheduling a customer master key for deletion?
Signup and view all the answers
Which API is used to generate a data key that is used to encrypt data?
Which API is used to generate a data key that is used to encrypt data?
Signup and view all the answers
What is the limit on the number of KMS keys that can be created per account per region?
What is the limit on the number of KMS keys that can be created per account per region?
Signup and view all the answers
What happens to a scheduled key deletion during the waiting period?
What happens to a scheduled key deletion during the waiting period?
Signup and view all the answers
What is the primary method used by AWS KMS to encrypt data in AWS services and client-side toolkits?
What is the primary method used by AWS KMS to encrypt data in AWS services and client-side toolkits?
Signup and view all the answers
What is the minimum waiting period for deleting a customer master key and associated metadata?
What is the minimum waiting period for deleting a customer master key and associated metadata?
Signup and view all the answers
Which of these statements accurately describes the use of AWS managed KMS keys?
Which of these statements accurately describes the use of AWS managed KMS keys?
Signup and view all the answers
What is the primary purpose of Data Encryption Keys (DEKs) in AWS KMS?
What is the primary purpose of Data Encryption Keys (DEKs) in AWS KMS?
Signup and view all the answers
Which of the following accurately describes the role of AWS CloudHSM in AWS KMS?
Which of the following accurately describes the role of AWS CloudHSM in AWS KMS?
Signup and view all the answers
Which of the following is a feature of AWS KMS that allows for increased control over key management?
Which of the following is a feature of AWS KMS that allows for increased control over key management?
Signup and view all the answers
How does AWS KMS ensure the security of master keys stored in a custom key store?
How does AWS KMS ensure the security of master keys stored in a custom key store?
Signup and view all the answers
Which statement accurately describes the interaction between AWS KMS and AWS services when decrypting data?
Which statement accurately describes the interaction between AWS KMS and AWS services when decrypting data?
Signup and view all the answers
What is the primary difference between AWS managed KMS keys and Customer Managed KMS keys?
What is the primary difference between AWS managed KMS keys and Customer Managed KMS keys?
Signup and view all the answers
Which of the following actions can be performed on a Customer Managed KMS key?
Which of the following actions can be performed on a Customer Managed KMS key?
Signup and view all the answers
What is a key management function that KMS supports?
What is a key management function that KMS supports?
Signup and view all the answers
Which of the following statements accurately describes the fees associated with AWS managed KMS keys?
Which of the following statements accurately describes the fees associated with AWS managed KMS keys?
Signup and view all the answers
What is a distinguishing characteristic of Customer Managed KMS keys compared to AWS Managed KMS keys?
What is a distinguishing characteristic of Customer Managed KMS keys compared to AWS Managed KMS keys?
Signup and view all the answers
What is a key limitation of AWS Managed KMS keys?
What is a key limitation of AWS Managed KMS keys?
Signup and view all the answers
What is a primary function of a KMS key in AWS KMS?
What is a primary function of a KMS key in AWS KMS?
Signup and view all the answers
What is the maximum size of data that a KMS key can encrypt directly?
What is the maximum size of data that a KMS key can encrypt directly?
Signup and view all the answers
Which of the following is a key distinction between symmetric and asymmetric KMS keys?
Which of the following is a key distinction between symmetric and asymmetric KMS keys?
Signup and view all the answers
What is the role of Data Encryption Keys (DEKs) in AWS KMS?
What is the role of Data Encryption Keys (DEKs) in AWS KMS?
Signup and view all the answers
Which of the following is NOT a valid way to manage a Customer Managed KMS key?
Which of the following is NOT a valid way to manage a Customer Managed KMS key?
Signup and view all the answers
What is the primary purpose of the GenerateDataKey API in AWS KMS?
What is the primary purpose of the GenerateDataKey API in AWS KMS?
Signup and view all the answers
What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?
What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?
Signup and view all the answers
What is the purpose of the 'aws kms re-encrypt' API?
What is the purpose of the 'aws kms re-encrypt' API?
Signup and view all the answers
What happens to a scheduled key deletion in AWS KMS during the waiting period?
What happens to a scheduled key deletion in AWS KMS during the waiting period?
Signup and view all the answers
What is the advantage of using envelope encryption with AWS KMS?
What is the advantage of using envelope encryption with AWS KMS?
Signup and view all the answers
What is the limit on the number of data keys that can be derived using a master key and used in your application?
What is the limit on the number of data keys that can be derived using a master key and used in your application?
Signup and view all the answers
What happens to AWS managed master keys created on your behalf for use within supported AWS services?
What happens to AWS managed master keys created on your behalf for use within supported AWS services?
Signup and view all the answers
What crucial element does a KMS key contain for encrypting and decrypting data?
What crucial element does a KMS key contain for encrypting and decrypting data?
Signup and view all the answers
Which action is NOT allowed with AWS Managed KMS keys?
Which action is NOT allowed with AWS Managed KMS keys?
Signup and view all the answers
What happens to the private keys of asymmetric KMS keys in AWS KMS?
What happens to the private keys of asymmetric KMS keys in AWS KMS?
Signup and view all the answers
Which of the following statements is true about Customer Managed KMS keys?
Which of the following statements is true about Customer Managed KMS keys?
Signup and view all the answers
How many bytes can a KMS key encrypt at most for a single operation?
How many bytes can a KMS key encrypt at most for a single operation?
Signup and view all the answers
Which of the following is a feature of Customer Managed KMS keys?
Which of the following is a feature of Customer Managed KMS keys?
Signup and view all the answers
What is a key characteristic of AWS KMS keys regarding their exportation?
What is a key characteristic of AWS KMS keys regarding their exportation?
Signup and view all the answers
Which statement best describes the differences in management between AWS Managed KMS keys and Customer Managed KMS keys?
Which statement best describes the differences in management between AWS Managed KMS keys and Customer Managed KMS keys?
Signup and view all the answers
What is a characteristic of AWS owned KMS keys?
What is a characteristic of AWS owned KMS keys?
Signup and view all the answers
What must a user do with data encryption keys once they are generated?
What must a user do with data encryption keys once they are generated?
Signup and view all the answers
How does AWS KMS handle logging of key usage?
How does AWS KMS handle logging of key usage?
Signup and view all the answers
What is the role of the GenerateDataKey API in AWS KMS?
What is the role of the GenerateDataKey API in AWS KMS?
Signup and view all the answers
In which scenario are data encryption keys typically used?
In which scenario are data encryption keys typically used?
Signup and view all the answers
Which statement about AWS KMS keys is true?
Which statement about AWS KMS keys is true?
Signup and view all the answers
What is a unique feature of a Custom Key Store in AWS KMS?
What is a unique feature of a Custom Key Store in AWS KMS?
Signup and view all the answers
How are the fees structured for AWS managed KMS keys?
How are the fees structured for AWS managed KMS keys?
Signup and view all the answers
What governs the access and management of keys in AWS KMS?
What governs the access and management of keys in AWS KMS?
Signup and view all the answers
Which statement about the AWS Key Management Service (KMS) is accurate?
Which statement about the AWS Key Management Service (KMS) is accurate?
Signup and view all the answers
What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?
What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?
Signup and view all the answers
What is the purpose of the 'aws kms re-encrypt' API?
What is the purpose of the 'aws kms re-encrypt' API?
Signup and view all the answers
What is the limit on the number of data keys that can be derived using a master key and used in your application or by AWS services?
What is the limit on the number of data keys that can be derived using a master key and used in your application or by AWS services?
Signup and view all the answers
What happens to a scheduled key deletion in AWS KMS during the waiting period?
What happens to a scheduled key deletion in AWS KMS during the waiting period?
Signup and view all the answers
What is the method used by AWS KMS to encrypt data in AWS services and client-side toolkits?
What is the method used by AWS KMS to encrypt data in AWS services and client-side toolkits?
Signup and view all the answers
What counts towards the limit of 1000 KMS keys per account per region?
What counts towards the limit of 1000 KMS keys per account per region?
Signup and view all the answers
Which of the following statements accurately describes the role of Data Encryption Keys (DEKs) in AWS KMS?
Which of the following statements accurately describes the role of Data Encryption Keys (DEKs) in AWS KMS?
Signup and view all the answers
Which of these options accurately describes the distinction between Customer Managed KMS keys and AWS Managed KMS keys?
Which of these options accurately describes the distinction between Customer Managed KMS keys and AWS Managed KMS keys?
Signup and view all the answers
Which of the following is NOT a valid way to manage a Customer Managed KMS key?
Which of the following is NOT a valid way to manage a Customer Managed KMS key?
Signup and view all the answers
What is a unique characteristic of AWS owned KMS keys?
What is a unique characteristic of AWS owned KMS keys?
Signup and view all the answers
Which of the following statements accurately describes the key material of a KMS key?
Which of the following statements accurately describes the key material of a KMS key?
Signup and view all the answers
Which of the following is NOT a function of AWS KMS?
Which of the following is NOT a function of AWS KMS?
Signup and view all the answers
Which statement is NOT true regarding AWS KMS keys?
Which statement is NOT true regarding AWS KMS keys?
Signup and view all the answers
What is the purpose of scheduling a customer master key for deletion?
What is the purpose of scheduling a customer master key for deletion?
Signup and view all the answers
Which of these statements accurately describes the handling of data encryption keys (DEKs) by AWS KMS?
Which of these statements accurately describes the handling of data encryption keys (DEKs) by AWS KMS?
Signup and view all the answers
Which of the following statements is TRUE regarding AWS managed KMS keys?
Which of the following statements is TRUE regarding AWS managed KMS keys?
Signup and view all the answers
How does AWS KMS handle the encryption and decryption of data in AWS services?
How does AWS KMS handle the encryption and decryption of data in AWS services?
Signup and view all the answers
What is the primary difference between AWS managed KMS keys and Customer Managed KMS keys?
What is the primary difference between AWS managed KMS keys and Customer Managed KMS keys?
Signup and view all the answers
What is the primary purpose of the GenerateDataKey API in AWS KMS?
What is the primary purpose of the GenerateDataKey API in AWS KMS?
Signup and view all the answers
What is the purpose of the 'aws kms enable-key-rotation' API?
What is the purpose of the 'aws kms enable-key-rotation' API?
Signup and view all the answers
Why are AWS KMS keys regional?
Why are AWS KMS keys regional?
Signup and view all the answers
Which of the following is NOT a feature of the AWS KMS custom key store?
Which of the following is NOT a feature of the AWS KMS custom key store?
Signup and view all the answers
What is the primary difference between AWS KMS and Secrets Manager?
What is the primary difference between AWS KMS and Secrets Manager?
Signup and view all the answers
Which of the following is TRUE about AWS owned KMS keys?
Which of the following is TRUE about AWS owned KMS keys?
Signup and view all the answers
When scheduling a customer master key for deletion, what is the minimum waiting period that can be configured?
When scheduling a customer master key for deletion, what is the minimum waiting period that can be configured?
Signup and view all the answers
Which API is used to encrypt data using a data key generated by AWS KMS?
Which API is used to encrypt data using a data key generated by AWS KMS?
Signup and view all the answers
Which of the following statements accurately describes the purpose of AWS KMS Envelope Encryption?
Which of the following statements accurately describes the purpose of AWS KMS Envelope Encryption?
Signup and view all the answers
What is the maximum number of KMS keys that can be created per account per region?
What is the maximum number of KMS keys that can be created per account per region?
Signup and view all the answers
What is the primary purpose of the Enable-key-rotation
API in AWS KMS?
What is the primary purpose of the Enable-key-rotation
API in AWS KMS?
Signup and view all the answers
Which statement accurately describes the relationship between AWS managed master keys and the KMS key limit?
Which statement accurately describes the relationship between AWS managed master keys and the KMS key limit?
Signup and view all the answers
Which of these statements about AWS Managed KMS keys is TRUE?
Which of these statements about AWS Managed KMS keys is TRUE?
Signup and view all the answers
What is the maximum data size a KMS key can encrypt?
What is the maximum data size a KMS key can encrypt?
Signup and view all the answers
Which of these actions can be performed on a Customer Managed KMS key?
Which of these actions can be performed on a Customer Managed KMS key?
Signup and view all the answers
What is the primary difference between Symmetric and Asymmetric KMS keys?
What is the primary difference between Symmetric and Asymmetric KMS keys?
Signup and view all the answers
What is the purpose of a Data Encryption Key (DEK)?
What is the purpose of a Data Encryption Key (DEK)?
Signup and view all the answers
What is NOT a function of AWS KMS?
What is NOT a function of AWS KMS?
Signup and view all the answers
Which of the following is TRUE about the cryptographic material of a KMS key?
Which of the following is TRUE about the cryptographic material of a KMS key?
Signup and view all the answers
Which of the following scenarios is specifically designed for the use of a Custom Key Store in AWS KMS?
Which of the following scenarios is specifically designed for the use of a Custom Key Store in AWS KMS?
Signup and view all the answers
Which of these options are the true statements about AWS owned KMS keys?
Which of these options are the true statements about AWS owned KMS keys?
Signup and view all the answers
What happens to a data key after it is generated using the GenerateDataKey
API in KMS?
What happens to a data key after it is generated using the GenerateDataKey
API in KMS?
Signup and view all the answers
What is a primary benefit of using a Custom Key Store in AWS KMS?
What is a primary benefit of using a Custom Key Store in AWS KMS?
Signup and view all the answers
Which of these is a key management function that AWS KMS does NOT allow?
Which of these is a key management function that AWS KMS does NOT allow?
Signup and view all the answers
What is the primary purpose of AWS KMS?
What is the primary purpose of AWS KMS?
Signup and view all the answers
Which of the following is TRUE about master keys in a Custom Key Store?
Which of the following is TRUE about master keys in a Custom Key Store?
Signup and view all the answers
How does KMS ensure that the appropriate users can access and use master keys?
How does KMS ensure that the appropriate users can access and use master keys?
Signup and view all the answers
How does KMS ensure that data can be decrypted by authorized users?
How does KMS ensure that data can be decrypted by authorized users?
Signup and view all the answers
Which of the following statements is TRUE about AWS KMS key material?
Which of the following statements is TRUE about AWS KMS key material?
Signup and view all the answers
What is the main purpose of the Enable-key-rotation
API in KMS?
What is the main purpose of the Enable-key-rotation
API in KMS?
Signup and view all the answers
Study Notes
AWS Key Management Store (KMS)
- AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
- Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).
KMS Keys
- KMS keys consist of metadata including key ID, creation date, description, and key state.
- Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
- A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.
Key Types
- Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
- AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
- AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.
Data Encryption Keys
- Data keys are used for encrypting large amounts of data and other data encryption keys.
- AWS KMS does not store or manage these data keys; they must be handled externally.
- The GenerateDataKey API creates data encryption keys using KMS keys.
KMS Functionality
- Utilizes hardware security modules (HSMs) for protecting KMS keys.
- Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
- All requests to master keys are logged in AWS CloudTrail for tracking usage.
Key Management and Policies
- Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
- KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
- Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.
Custom Key Store
- Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
- Ensures keys remain secure and in plaintext only within HSMs.
Key Deletion
- Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
- Default waiting period is 30 days, and deletion can be canceled during this time.
Important APIs
- Encrypt and Decrypt for encrypting/decrypting data.
- Re-encrypt for changing the encryption key used.
- GenerateDataKey for creating a data encryption key.
KMS Envelope Encryption
- Integrates with AWS clients using envelope encryption for better data security.
- Data keys are encrypted using master keys through KMS to secure the data itself.
Limits and Recommendations
- Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
- It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
- There are no restrictions on the number of data keys that can be generated from master keys.
AWS Key Management Store (KMS)
- AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
- Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).
KMS Keys
- KMS keys consist of metadata including key ID, creation date, description, and key state.
- Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
- A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.
Key Types
- Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
- AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
- AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.
Data Encryption Keys
- Data keys are used for encrypting large amounts of data and other data encryption keys.
- AWS KMS does not store or manage these data keys; they must be handled externally.
- The GenerateDataKey API creates data encryption keys using KMS keys.
KMS Functionality
- Utilizes hardware security modules (HSMs) for protecting KMS keys.
- Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
- All requests to master keys are logged in AWS CloudTrail for tracking usage.
Key Management and Policies
- Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
- KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
- Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.
Custom Key Store
- Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
- Ensures keys remain secure and in plaintext only within HSMs.
Key Deletion
- Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
- Default waiting period is 30 days, and deletion can be canceled during this time.
Important APIs
- Encrypt and Decrypt for encrypting/decrypting data.
- Re-encrypt for changing the encryption key used.
- GenerateDataKey for creating a data encryption key.
KMS Envelope Encryption
- Integrates with AWS clients using envelope encryption for better data security.
- Data keys are encrypted using master keys through KMS to secure the data itself.
Limits and Recommendations
- Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
- It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
- There are no restrictions on the number of data keys that can be generated from master keys.
AWS Key Management Store (KMS)
- AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
- Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).
KMS Keys
- KMS keys consist of metadata including key ID, creation date, description, and key state.
- Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
- A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.
Key Types
- Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
- AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
- AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.
Data Encryption Keys
- Data keys are used for encrypting large amounts of data and other data encryption keys.
- AWS KMS does not store or manage these data keys; they must be handled externally.
- The GenerateDataKey API creates data encryption keys using KMS keys.
KMS Functionality
- Utilizes hardware security modules (HSMs) for protecting KMS keys.
- Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
- All requests to master keys are logged in AWS CloudTrail for tracking usage.
Key Management and Policies
- Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
- KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
- Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.
Custom Key Store
- Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
- Ensures keys remain secure and in plaintext only within HSMs.
Key Deletion
- Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
- Default waiting period is 30 days, and deletion can be canceled during this time.
Important APIs
- Encrypt and Decrypt for encrypting/decrypting data.
- Re-encrypt for changing the encryption key used.
- GenerateDataKey for creating a data encryption key.
KMS Envelope Encryption
- Integrates with AWS clients using envelope encryption for better data security.
- Data keys are encrypted using master keys through KMS to secure the data itself.
Limits and Recommendations
- Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
- It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
- There are no restrictions on the number of data keys that can be generated from master keys.
AWS Key Management Store (KMS)
- AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
- Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).
KMS Keys
- KMS keys consist of metadata including key ID, creation date, description, and key state.
- Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
- A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.
Key Types
- Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
- AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
- AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.
Data Encryption Keys
- Data keys are used for encrypting large amounts of data and other data encryption keys.
- AWS KMS does not store or manage these data keys; they must be handled externally.
- The GenerateDataKey API creates data encryption keys using KMS keys.
KMS Functionality
- Utilizes hardware security modules (HSMs) for protecting KMS keys.
- Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
- All requests to master keys are logged in AWS CloudTrail for tracking usage.
Key Management and Policies
- Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
- KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
- Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.
Custom Key Store
- Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
- Ensures keys remain secure and in plaintext only within HSMs.
Key Deletion
- Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
- Default waiting period is 30 days, and deletion can be canceled during this time.
Important APIs
- Encrypt and Decrypt for encrypting/decrypting data.
- Re-encrypt for changing the encryption key used.
- GenerateDataKey for creating a data encryption key.
KMS Envelope Encryption
- Integrates with AWS clients using envelope encryption for better data security.
- Data keys are encrypted using master keys through KMS to secure the data itself.
Limits and Recommendations
- Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
- It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
- There are no restrictions on the number of data keys that can be generated from master keys.
AWS Key Management Store (KMS)
- AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
- Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).
KMS Keys
- KMS keys consist of metadata including key ID, creation date, description, and key state.
- Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
- A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.
Key Types
- Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
- AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
- AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.
Data Encryption Keys
- Data keys are used for encrypting large amounts of data and other data encryption keys.
- AWS KMS does not store or manage these data keys; they must be handled externally.
- The GenerateDataKey API creates data encryption keys using KMS keys.
KMS Functionality
- Utilizes hardware security modules (HSMs) for protecting KMS keys.
- Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
- All requests to master keys are logged in AWS CloudTrail for tracking usage.
Key Management and Policies
- Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
- KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
- Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.
Custom Key Store
- Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
- Ensures keys remain secure and in plaintext only within HSMs.
Key Deletion
- Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
- Default waiting period is 30 days, and deletion can be canceled during this time.
Important APIs
- Encrypt and Decrypt for encrypting/decrypting data.
- Re-encrypt for changing the encryption key used.
- GenerateDataKey for creating a data encryption key.
KMS Envelope Encryption
- Integrates with AWS clients using envelope encryption for better data security.
- Data keys are encrypted using master keys through KMS to secure the data itself.
Limits and Recommendations
- Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
- It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
- There are no restrictions on the number of data keys that can be generated from master keys.
AWS Key Management Store (KMS)
- AWS KMS is a managed service for data encryption and key management.
- Provides a reliable storage, management, and auditing solution for encryption across AWS services.
- Centrally manages and securely stores encryption keys, known as AWS KMS keys.
KMS Key Composition
- A KMS key includes metadata such as key ID, creation date, description, and key state.
- Contains key material used for encryption and decryption of data.
- Supports symmetric and asymmetric KMS keys.
- Key material remains encrypted within AWS KMS, ensuring security.
Types of KMS Keys
-
Customer Managed KMS Keys:
- Created and managed by the customer.
- Allows full control over key policies, IAM policies, and grants.
- Incur fees for creation and usage beyond the free tier.
-
AWS Managed KMS Keys:
- Created and managed by AWS services for the customer's account.
- Limited control over rotation and key policies.
- No monthly fee for these keys.
-
AWS Owned KMS Keys:
- Owned by AWS services for use across multiple accounts.
- No visibility or management required by the customer.
- No fees associated with these keys.
Data Encryption Keys (DEKs)
- Used for encrypting larger datasets and other data encryption keys.
- Generated, encrypted, and decrypted using AWS KMS keys.
- Managed outside of AWS KMS; KMS doesn't store or track these keys.
Key Management Capabilities
- Usage policies determine which users can perform encryption and decryption.
- KMS keys can be generated within KMS or imported from external infrastructure.
- Encrypted data must be handled within HSMs in certified environments.
KMS Integration and Compliance
- Works with various AWS services including Lambda, S3, EBS, EFS, DynamoDB, and SQS.
- Requests for master key usage are logged via AWS CloudTrail for auditing.
- Validated by compliance standards such as PCI DSS Level 1 and FIPS 140-2 Level 2.
- Specifically designed for encryption key management, distinct from Secrets Manager.
Key Deletion and Management
- Keys can be scheduled for deletion with a waiting period of 7 to 30 days, defaulting to 30 days.
- Deletion can be canceled during the waiting period to assess impact on applications.
APIs for KMS Operations
- Key APIs include:
- Encrypt: Encrypt data.
- Decrypt: Decrypt data.
- Re-encrypt: Change encryption without intervention.
- Enable-key-rotation: Automatically rotate keys.
- GenerateDataKey: Create a data encryption key.
KMS Limits
- Maximum of 1000 KMS keys per account per region, including enabled and disabled keys.
- No limits on the number of data keys derivable from a master key.
- Identify and delete unused disabled keys to manage limits effectively.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Test your knowledge of AWS Key Management Store (KMS), a managed service for encrypting data, managing and storing keys, and controlling encryption across AWS services.