Getting Started with AWS KMS [Cheat Sheet]
Alright, this one is going to take a series but listen up because it’s super important!
There’s a lot to talk about when it comes to AWS KMS, or Key Management Service, so this is going to be the first in a series of cheat sheets dedicated to KMS and data encryption in the AWS cloud. (Here’s the second in the series)
Why you need to learn KMS
KMS is not only really important to understand when you’re building on AWS, but it’s also very important to understand for the AWS Certified Security Specialty exam.
For example, while some services automatically encrypt your data at rest using KMS, it’s important to understand what that actually means from a security perspective.
You also need to understand how to control access to KMS keys, and how to troubleshoot issues in AWS environments related to key access since it adds complexity and multiple layers of defense.
On top of that, there are some serious cost considerations when using KMS.
But I’m getting ahead of myself. First, we need to talk about what KMS is in the first place…
What is KMS?
KMS is AWS’ native & managed service that lets you:
- Create,
- Manage, and
- Control…
…cryptographic keys for your applications (in or outside of AWS) and AWS services to encrypt/decrypt and protect your data.
With KMS, you can more easily add encryption and digital signature functionality to your app code either directly via the API or using the AWS SDK.
You can use it to:
- Encrypt, decrypt, and re-encrypt data
- Sign and verify messages with asymmetric KMS keys
- Generate & export symmetric data keys & asymmetric data key pairs
- Generate & verify HMAC codes
- Generate random numbers for cryptographic applications
It also natively integrates with many AWS services (EC2, S3, EBS, CodePipeline, and much more), which means you can use it to encrypt data, and to control who/what can decrypt that data.
As an example, Amazon S3 automatically (and by default) encrypts your data at rest by using AWS KMS under the hood, but you may want to change this default setting to use a different type of key instead. Much more on this in a future cheat sheet.
That’s it for now, as the rest is in the cheat sheet. I’ll also be partnering with AWS data & permissions security experts to produce the next few, because a) this is a topic that I’m still very much learning (cryptography has never been my strong suit), and b) this is a topic where technical accuracy is critical so I want to make sure I get a second or third pair of eyes before I release it to you.
If this is helpful, or if you or someone you know needs to learn more about AWS KMS, please consider sharing with them and feel free to download this cheat sheet!
Responses