AWS Key Management Store (KMS) Quiz

Questions and Answers

Which of the following is NOT a characteristic of an AWS KMS key?

It can be exported from KMS. (correct)

It can encrypt data up to 4KB in size.

It includes metadata such as the key ID, creation date, description, and key state.

It can be used to generate, encrypt, and decrypt Data Encryption Keys (DEKs).

What type of KMS key is managed by AWS and cannot be rotated or have its key policies changed by the user?

Symmetric KMS Keys

AWS Managed KMS Keys (correct)

Customer Managed KMS Keys

Asymmetric KMS Keys

What is the maximum data size that a KMS key can encrypt?

16KB

1MB

1KB

4KB (correct)

Which of the following is a valid way to manage a Customer Managed KMS key?

Creating an alias for the KMS key.

What is the primary difference between Symmetric and Asymmetric KMS keys?

Symmetric KMS keys use a single key for both encryption and decryption, while Asymmetric KMS keys use separate keys for encryption and decryption.

Which of the following is NOT a benefit of using AWS KMS?

Ability to export KMS keys for use in external applications.

What happens to a Customer Managed KMS key when the AWS account it's associated with is deleted?

The key is automatically deleted.

Which of the following statements accurately describes the role of Data Encryption Keys (DEKs) in KMS?

DEKs are used to encrypt data that is then encrypted again using a KMS key.

What is the maximum number of KMS keys you can create per account per region?

1000

What is the default waiting period for deleting a KMS key?

30 days

What is the purpose of the 'aws kms encrypt' API?

To encrypt data using a KMS key

Which of these is NOT an AWS KMS API mentioned in the content?

aws kms get-key-policy

What method does AWS KMS use to encrypt data in AWS services and client-side toolkits?

Envelope encryption

What is the purpose of the 'aws kms generate-data-key-without-plaintext' API?

To generate a data key without its plaintext

What is the primary limitation of AWS managed KMS keys regarding their usage?

You cannot use them directly in cryptographic operations.

What is a unique characteristic of AWS owned KMS keys?

They are owned and managed by AWS services.

How does AWS KMS handle data encryption keys?

It must be used to manage data encryption keys outside of its service.

What is the purpose of the GenerateDataKey API in AWS KMS?

To create a data encryption key using a KMS key.

What best defines a custom key store in AWS KMS?

A feature that integrates AWS CloudHSM with KMS for key management.

What happens to requests made for decrypting data keys under KMS?

They are logged in AWS CloudTrail for tracking.

Which of the following is not a function of AWS KMS?

Performing encryption in transit.

What is a key management function that KMS supports?

Setting usage policies on KMS keys.

Why are AWS KMS keys regional?

Because each key is restricted to specific AWS regions.

Which statement about data keys generated by AWS KMS is correct?

They are encrypted and stored as part of the data they protect.

What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?

7 days

What is the purpose of GenerateDataKeyWithoutPlaintext API in AWS KMS?

To generate a data key without plaintext

What is the maximum number of master keys that can be created per account per region in AWS KMS?

1000

What is the purpose of Enable-key-rotation API in AWS KMS?

To enable key rotation

What is the method used by AWS KMS to encrypt data in AWS services and client-side toolkits?

Envelope encryption

What happens to a scheduled key deletion in AWS KMS during the waiting period?

It can be cancelled

What can be done with a Customer Managed KMS key?

Its key policies can be modified.

Which statement accurately describes the key material of a KMS key?

Key material is created by AWS KMS by default.

Which of the following is a limitation of AWS KMS regarding KMS keys?

KMS keys can encrypt data only up to 4KB.

What is true about the permissions associated with Customer Managed KMS keys?

They can have IAM policies that restrict their usage.

What distinguishes AWS Managed KMS keys from Customer Managed KMS keys?

Customer Managed KMS keys are created by user discretion.

Which statement is NOT true regarding AWS KMS keys?

AWS KMS keys can be reused across different regions without restriction.

What are KMS keys primarily used for within AWS KMS?

To encrypt and decrypt data.

How does AWS KMS handle the exporting of KMS keys?

KMS keys cannot be exported at all.

What governs the use and access of AWS KMS keys?

IAM roles and policies

Which statement about AWS owned KMS keys is accurate?

They remain fully under the control of AWS services.

What happens to Data Encryption Keys (DEKs) managed by AWS KMS?

They must be managed outside of AWS KMS.

For which scenario is a Custom Key Store in AWS KMS specifically designed?

To store master keys in HSMs securely

Which statement correctly describes the fees associated with AWS managed KMS keys?

Usage can incur fees depending on the service.

How are requests to use master keys logged in AWS KMS?

In AWS CloudTrail

In what context can AWS KMS keys not be used directly by users?

In cryptographic operations directly

What does the GenerateDataKey API do in AWS KMS?

Generates a data key using a KMS key

Which type of keys requires you to have CloudHSM resources to use custom key stores?

Custom KMS keys

What is a unique feature of KMS compared to AWS Secrets Manager?

KMS is designed specifically for encryption key management.

What is the purpose of scheduling a customer master key for deletion?

To verify the impact of deleting a key on applications and users

Which API is used to generate a data key that is used to encrypt data?

aws kms generate-data-key

What is the limit on the number of KMS keys that can be created per account per region?

1000

What happens to a scheduled key deletion during the waiting period?

The key deletion can be cancelled

What is the primary method used by AWS KMS to encrypt data in AWS services and client-side toolkits?

Envelope encryption

What is the minimum waiting period for deleting a customer master key and associated metadata?

7 days

Which of these statements accurately describes the use of AWS managed KMS keys?

They are managed by AWS services on behalf of users.

What is the primary purpose of Data Encryption Keys (DEKs) in AWS KMS?

To encrypt and decrypt data directly.

Which of the following accurately describes the role of AWS CloudHSM in AWS KMS?

It is an optional service that can be used for storing and managing keys.

Which of the following is a feature of AWS KMS that allows for increased control over key management?

The ability to create and manage KMS keys in an AWS CloudHSM cluster.

How does AWS KMS ensure the security of master keys stored in a custom key store?

The master keys are never stored in plaintext and all operations are performed within the HSMs.

Which statement accurately describes the interaction between AWS KMS and AWS services when decrypting data?

AWS services request AWS KMS to decrypt the data key using the master key.

What is the primary difference between AWS managed KMS keys and Customer Managed KMS keys?

AWS managed keys are controlled by AWS services, while Customer Managed keys are managed by users.

Which of the following actions can be performed on a Customer Managed KMS key?

Changing the key policy to grant permissions to specific users or roles.

What is a key management function that KMS supports?

Managing and rotating master keys.

Which of the following statements accurately describes the fees associated with AWS managed KMS keys?

Users are not charged for AWS managed KMS keys unless they exceed the free tier limits.

What is a distinguishing characteristic of Customer Managed KMS keys compared to AWS Managed KMS keys?

Customer Managed KMS keys allow you to control their key policies, IAM policies, and grants.

What is a key limitation of AWS Managed KMS keys?

They cannot be rotated or have their key policies changed.

What is a primary function of a KMS key in AWS KMS?

To encrypt and decrypt data, both directly and through Data Encryption Keys (DEKs).

What is the maximum size of data that a KMS key can encrypt directly?

4 KB

Which of the following is a key distinction between symmetric and asymmetric KMS keys?

Symmetric KMS keys use the same key for encryption and decryption, while asymmetric KMS keys use separate keys.

What is the role of Data Encryption Keys (DEKs) in AWS KMS?

DEKs are used to encrypt data, which is then encrypted again using the KMS key.

Which of the following is NOT a valid way to manage a Customer Managed KMS key?

Changing the key policy of an AWS Managed KMS key.

What is the primary purpose of the GenerateDataKey API in AWS KMS?

To generate a Data Encryption Key (DEK) that can be used to encrypt data.

What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?

7 days

What is the purpose of the 'aws kms re-encrypt' API?

To update the key material for a master key

What happens to a scheduled key deletion in AWS KMS during the waiting period?

The key deletion can be cancelled

What is the advantage of using envelope encryption with AWS KMS?

It generates data keys that can be used to encrypt data

What is the limit on the number of data keys that can be derived using a master key and used in your application?

Unlimited

What happens to AWS managed master keys created on your behalf for use within supported AWS services?

They do not count against the KMS key limit

What crucial element does a KMS key contain for encrypting and decrypting data?

Key material

Which action is NOT allowed with AWS Managed KMS keys?

Rotate key policies

What happens to the private keys of asymmetric KMS keys in AWS KMS?

They remain encrypted within AWS KMS.

Which of the following statements is true about Customer Managed KMS keys?

They incur fees for monthly usage and excess usage.

How many bytes can a KMS key encrypt at most for a single operation?

4096 bytes

Which of the following is a feature of Customer Managed KMS keys?

They allow the creation of aliases referring to the key.

What is a key characteristic of AWS KMS keys regarding their exportation?

They can never be exported out of KMS.

Which statement best describes the differences in management between AWS Managed KMS keys and Customer Managed KMS keys?

Customer Managed KMS keys allow for rotation and management.

What is a characteristic of AWS owned KMS keys?

They are owned and managed by AWS services.

What must a user do with data encryption keys once they are generated?

Manage and use these keys outside of AWS KMS.

How does AWS KMS handle logging of key usage?

All requests to use master keys are logged in AWS CloudTrail.

What is the role of the GenerateDataKey API in AWS KMS?

To create a data encryption key using a KMS key.

In which scenario are data encryption keys typically used?

To encrypt large amounts of data and other encryption keys.

Which statement about AWS KMS keys is true?

KMS supports both symmetric and asymmetric key types.

What is a unique feature of a Custom Key Store in AWS KMS?

Key material never leaves the HSMs in plaintext.

How are the fees structured for AWS managed KMS keys?

Fees are incurred only when keys are actively used beyond the free tier.

What governs the access and management of keys in AWS KMS?

IAM users and roles.

Which statement about the AWS Key Management Service (KMS) is accurate?

KMS operations involving keys are logged for auditing purposes.

What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?

7 days

What is the purpose of the 'aws kms re-encrypt' API?

To re-encrypt data keys with a new master key

What is the limit on the number of data keys that can be derived using a master key and used in your application or by AWS services?

No limit

What happens to a scheduled key deletion in AWS KMS during the waiting period?

The key can be cancelled during the waiting period

What is the method used by AWS KMS to encrypt data in AWS services and client-side toolkits?

Envelope encryption

What counts towards the limit of 1000 KMS keys per account per region?

Both enabled and disabled keys

Which of the following statements accurately describes the role of Data Encryption Keys (DEKs) in AWS KMS?

DEKs are used to encrypt data that is then further encrypted using the KMS key.

Which of these options accurately describes the distinction between Customer Managed KMS keys and AWS Managed KMS keys?

Customer Managed KMS keys are managed by the user, while AWS Managed KMS keys are managed by AWS services.

Which of the following is NOT a valid way to manage a Customer Managed KMS key?

Exporting the key material for use outside of AWS.

What is a unique characteristic of AWS owned KMS keys?

They are managed by AWS services and cannot be rotated or have their key policies changed by the user.

Which of the following statements accurately describes the key material of a KMS key?

The key material is used to encrypt and decrypt DEKs.

Which of the following is NOT a function of AWS KMS?

Providing a solution for storing and managing passwords.

Which statement is NOT true regarding AWS KMS keys?

AWS KMS keys can be exported for use outside of AWS.

What is the purpose of scheduling a customer master key for deletion?

To initiate a process that will permanently delete the key and its associated metadata after a waiting period.

Which of these statements accurately describes the handling of data encryption keys (DEKs) by AWS KMS?

AWS KMS generates, encrypts, and decrypts DEKs, but does not store or manage them.

Which of the following statements is TRUE regarding AWS managed KMS keys?

AWS managed KMS keys can be subject to fees for excessive usage, but some AWS services may cover these costs.

How does AWS KMS handle the encryption and decryption of data in AWS services?

AWS services encrypt data using DEKs, and KMS encrypts the DEK using the master key and stores both securely.

What is the primary difference between AWS managed KMS keys and Customer Managed KMS keys?

AWS managed KMS keys are owned and managed by AWS, while Customer Managed KMS keys are managed by users in their AWS account.

What is the primary purpose of the GenerateDataKey API in AWS KMS?

To create and manage data encryption keys (DEKs) for encrypting data.

What is the purpose of the 'aws kms enable-key-rotation' API?

To enable automatic key rotation for a KMS key.

Why are AWS KMS keys regional?

To ensure data locality and compliance with regional regulations.

Which of the following is NOT a feature of the AWS KMS custom key store?

It allows you to manage AWS owned KMS keys directly within your custom key store.

What is the primary difference between AWS KMS and Secrets Manager?

AWS KMS is primarily used for encrypting data at rest, while Secrets Manager is designed for storing and managing sensitive data such as passwords and API keys.

Which of the following is TRUE about AWS owned KMS keys?

AWS owned KMS keys are used to encrypt and decrypt data within a specific AWS service and cannot be accessed directly.

When scheduling a customer master key for deletion, what is the minimum waiting period that can be configured?

7 days

Which API is used to encrypt data using a data key generated by AWS KMS?

aws kms encrypt

Which of the following statements accurately describes the purpose of AWS KMS Envelope Encryption?

Data keys are used to encrypt data, and those data keys are then encrypted using master keys.

What is the maximum number of KMS keys that can be created per account per region?

1000

What is the primary purpose of the Enable-key-rotation API in AWS KMS?

To enable automatic rotation of the key material for a KMS key.

Which statement accurately describes the relationship between AWS managed master keys and the KMS key limit?

AWS managed master keys do not count towards the KMS key limit.

Which of these statements about AWS Managed KMS keys is TRUE?

They are created, managed, and used on your behalf by an AWS service integrated with KMS.

What is the maximum data size a KMS key can encrypt?

4KB

Which of these actions can be performed on a Customer Managed KMS key?

Schedule a KMS key for deletion without actually deleting it.

What is the primary difference between Symmetric and Asymmetric KMS keys?

Symmetric keys use the same key for encryption and decryption, while asymmetric keys use different keys for encryption and decryption.

What is the purpose of a Data Encryption Key (DEK)?

To directly encrypt and decrypt user data.

What is NOT a function of AWS KMS?

Exporting KMS keys to external systems.

Which of the following is TRUE about the cryptographic material of a KMS key?

It is stored in an encrypted form within the KMS service, and it never leaves AWS KMS unencrypted.

Which of the following scenarios is specifically designed for the use of a Custom Key Store in AWS KMS?

Using a hardware security module (HSM) for storing sensitive key material.

Which of these options are the true statements about AWS owned KMS keys?

AWS owned KMS keys are owned and managed by AWS.

What happens to a data key after it is generated using the GenerateDataKey API in KMS?

It is stored in a secure location outside of AWS KMS, and the user is responsible for managing and tracking it.

What is a primary benefit of using a Custom Key Store in AWS KMS?

It allows you to store KMS master keys in your own CloudHSM cluster, enhancing security and control.

Which of these is a key management function that AWS KMS does NOT allow?

Directly managing the cryptographic operations with data encryption keys.

What is the primary purpose of AWS KMS?

To manage and control the encryption keys used for protecting data at rest.

Which of the following is TRUE about master keys in a Custom Key Store?

They are never exported from the CloudHSM cluster.

How does KMS ensure that the appropriate users can access and use master keys?

By assigning specific permissions to IAM users and roles.

How does KMS ensure that data can be decrypted by authorized users?

KMS grants temporary permissions to users to decrypt data based on the master key policy.

Which of the following statements is TRUE about AWS KMS key material?

It can be stored in both symmetric and asymmetric forms.

What is the main purpose of the Enable-key-rotation API in KMS?

To automatically rotate KMS keys on a regular basis.

Study Notes

AWS Key Management Store (KMS)

• AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
• Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

KMS Keys

• KMS keys consist of metadata including key ID, creation date, description, and key state.
• Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
• A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

Key Types

• Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
• AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
• AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

Data Encryption Keys

• Data keys are used for encrypting large amounts of data and other data encryption keys.
• AWS KMS does not store or manage these data keys; they must be handled externally.
• The GenerateDataKey API creates data encryption keys using KMS keys.

KMS Functionality

• Utilizes hardware security modules (HSMs) for protecting KMS keys.
• Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
• All requests to master keys are logged in AWS CloudTrail for tracking usage.

Key Management and Policies

• Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
• KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
• Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

Custom Key Store

• Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
• Ensures keys remain secure and in plaintext only within HSMs.

Key Deletion

• Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
• Default waiting period is 30 days, and deletion can be canceled during this time.

Important APIs

• Encrypt and Decrypt for encrypting/decrypting data.
• Re-encrypt for changing the encryption key used.
• GenerateDataKey for creating a data encryption key.

KMS Envelope Encryption

• Integrates with AWS clients using envelope encryption for better data security.
• Data keys are encrypted using master keys through KMS to secure the data itself.

Limits and Recommendations

• Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
• It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
• There are no restrictions on the number of data keys that can be generated from master keys.

AWS Key Management Store (KMS)

• AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
• Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

KMS Keys

• KMS keys consist of metadata including key ID, creation date, description, and key state.
• Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
• A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

Key Types

• Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
• AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
• AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

Data Encryption Keys

• Data keys are used for encrypting large amounts of data and other data encryption keys.
• AWS KMS does not store or manage these data keys; they must be handled externally.
• The GenerateDataKey API creates data encryption keys using KMS keys.

KMS Functionality

• Utilizes hardware security modules (HSMs) for protecting KMS keys.
• Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
• All requests to master keys are logged in AWS CloudTrail for tracking usage.

Key Management and Policies

• Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
• KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
• Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

Custom Key Store

• Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
• Ensures keys remain secure and in plaintext only within HSMs.

Key Deletion

• Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
• Default waiting period is 30 days, and deletion can be canceled during this time.

Important APIs

• Encrypt and Decrypt for encrypting/decrypting data.
• Re-encrypt for changing the encryption key used.
• GenerateDataKey for creating a data encryption key.

KMS Envelope Encryption

• Integrates with AWS clients using envelope encryption for better data security.
• Data keys are encrypted using master keys through KMS to secure the data itself.

Limits and Recommendations

• Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
• It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
• There are no restrictions on the number of data keys that can be generated from master keys.

AWS Key Management Store (KMS)

• AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
• Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

KMS Keys

• KMS keys consist of metadata including key ID, creation date, description, and key state.
• Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
• A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

Key Types

• Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
• AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
• AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

Data Encryption Keys

• Data keys are used for encrypting large amounts of data and other data encryption keys.
• AWS KMS does not store or manage these data keys; they must be handled externally.
• The GenerateDataKey API creates data encryption keys using KMS keys.

KMS Functionality

• Utilizes hardware security modules (HSMs) for protecting KMS keys.
• Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
• All requests to master keys are logged in AWS CloudTrail for tracking usage.

Key Management and Policies

• Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
• KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
• Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

Custom Key Store

• Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
• Ensures keys remain secure and in plaintext only within HSMs.

Key Deletion

• Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
• Default waiting period is 30 days, and deletion can be canceled during this time.

Important APIs

• Encrypt and Decrypt for encrypting/decrypting data.
• Re-encrypt for changing the encryption key used.
• GenerateDataKey for creating a data encryption key.

KMS Envelope Encryption

• Integrates with AWS clients using envelope encryption for better data security.
• Data keys are encrypted using master keys through KMS to secure the data itself.

Limits and Recommendations

• Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
• It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
• There are no restrictions on the number of data keys that can be generated from master keys.

AWS Key Management Store (KMS)

• AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
• Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

KMS Keys

• KMS keys consist of metadata including key ID, creation date, description, and key state.
• Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
• A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

Key Types

• Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
• AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
• AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

Data Encryption Keys

• Data keys are used for encrypting large amounts of data and other data encryption keys.
• AWS KMS does not store or manage these data keys; they must be handled externally.
• The GenerateDataKey API creates data encryption keys using KMS keys.

KMS Functionality

• Utilizes hardware security modules (HSMs) for protecting KMS keys.
• Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
• All requests to master keys are logged in AWS CloudTrail for tracking usage.

Key Management and Policies

• Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
• KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
• Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

Custom Key Store

• Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
• Ensures keys remain secure and in plaintext only within HSMs.

Key Deletion

• Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
• Default waiting period is 30 days, and deletion can be canceled during this time.

Important APIs

• Encrypt and Decrypt for encrypting/decrypting data.
• Re-encrypt for changing the encryption key used.
• GenerateDataKey for creating a data encryption key.

KMS Envelope Encryption

• Integrates with AWS clients using envelope encryption for better data security.
• Data keys are encrypted using master keys through KMS to secure the data itself.

Limits and Recommendations

• Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
• It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
• There are no restrictions on the number of data keys that can be generated from master keys.

AWS Key Management Store (KMS)

• AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
• Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

KMS Keys

• KMS keys consist of metadata including key ID, creation date, description, and key state.
• Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
• A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

Key Types

• Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
• AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
• AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

Data Encryption Keys

• Data keys are used for encrypting large amounts of data and other data encryption keys.
• AWS KMS does not store or manage these data keys; they must be handled externally.
• The GenerateDataKey API creates data encryption keys using KMS keys.

KMS Functionality

• Utilizes hardware security modules (HSMs) for protecting KMS keys.
• Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
• All requests to master keys are logged in AWS CloudTrail for tracking usage.

Key Management and Policies

• Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
• KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
• Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

Custom Key Store

• Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
• Ensures keys remain secure and in plaintext only within HSMs.

Key Deletion

• Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
• Default waiting period is 30 days, and deletion can be canceled during this time.

Important APIs

• Encrypt and Decrypt for encrypting/decrypting data.
• Re-encrypt for changing the encryption key used.
• GenerateDataKey for creating a data encryption key.

KMS Envelope Encryption

• Integrates with AWS clients using envelope encryption for better data security.
• Data keys are encrypted using master keys through KMS to secure the data itself.

Limits and Recommendations

• Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
• It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
• There are no restrictions on the number of data keys that can be generated from master keys.

AWS Key Management Store (KMS)

• AWS KMS is a managed service for data encryption and key management.
• Provides a reliable storage, management, and auditing solution for encryption across AWS services.
• Centrally manages and securely stores encryption keys, known as AWS KMS keys.

KMS Key Composition

• A KMS key includes metadata such as key ID, creation date, description, and key state.
• Contains key material used for encryption and decryption of data.
• Supports symmetric and asymmetric KMS keys.
• Key material remains encrypted within AWS KMS, ensuring security.

Types of KMS Keys

• Customer Managed KMS Keys:
  • Created and managed by the customer.
  • Allows full control over key policies, IAM policies, and grants.
  • Incur fees for creation and usage beyond the free tier.
• AWS Managed KMS Keys:
  • Created and managed by AWS services for the customer's account.
  • Limited control over rotation and key policies.
  • No monthly fee for these keys.
• AWS Owned KMS Keys:
  • Owned by AWS services for use across multiple accounts.
  • No visibility or management required by the customer.
  • No fees associated with these keys.

Data Encryption Keys (DEKs)

• Used for encrypting larger datasets and other data encryption keys.
• Generated, encrypted, and decrypted using AWS KMS keys.
• Managed outside of AWS KMS; KMS doesn't store or track these keys.

Key Management Capabilities

• Usage policies determine which users can perform encryption and decryption.
• KMS keys can be generated within KMS or imported from external infrastructure.
• Encrypted data must be handled within HSMs in certified environments.

KMS Integration and Compliance

• Works with various AWS services including Lambda, S3, EBS, EFS, DynamoDB, and SQS.
• Requests for master key usage are logged via AWS CloudTrail for auditing.
• Validated by compliance standards such as PCI DSS Level 1 and FIPS 140-2 Level 2.
• Specifically designed for encryption key management, distinct from Secrets Manager.

Key Deletion and Management

• Keys can be scheduled for deletion with a waiting period of 7 to 30 days, defaulting to 30 days.
• Deletion can be canceled during the waiting period to assess impact on applications.

APIs for KMS Operations

• Key APIs include:
  • Encrypt: Encrypt data.
  • Decrypt: Decrypt data.
  • Re-encrypt: Change encryption without intervention.
  • Enable-key-rotation: Automatically rotate keys.
  • GenerateDataKey: Create a data encryption key.

KMS Limits

• Maximum of 1000 KMS keys per account per region, including enabled and disabled keys.
• No limits on the number of data keys derivable from a master key.
• Identify and delete unused disabled keys to manage limits effectively.

Description

Test your knowledge of AWS Key Management Store (KMS), a managed service for encrypting data, managing and storing keys, and controlling encryption across AWS services.