Concepts
AWS Key Management Service (AWS KMS) is an integral service for managing encryption keys in AWS. It allows you to easily create and control the keys used for cryptographic operations. Understanding the differences between AWS Managed Keys and Customer Managed Keys is crucial for architects, developers, and security professionals who are preparing for the AWS Certified Developer – Associate (DVA-C02) exam.
AWS Managed Keys
AWS Managed Keys are created, managed, and used on behalf of the AWS customer by AWS services that are integrated with AWS KMS. These keys are designed to protect data within these services without requiring the customer to handle the underlying key management tasks.
Characteristics of AWS Managed Keys:
- Automatic Rotation: AWS automatically rotates these keys every three years.
- Service Integration: They are used by AWS services to encrypt your data at rest by default.
- No Direct Management: Customers do not have to manage the lifecycle of these keys.
Example:
When you store an object in Amazon S3, by default, it is protected using an AWS Managed Key for server-side encryption (SSE-S3).
Customer Managed Keys
Customer Managed Keys give customers more control over the encryption keys used to protect their data. These keys are created by the customer within AWS KMS and come with additional capabilities not provided by AWS Managed Keys.
Characteristics of Customer Managed Keys:
- Manual Key Rotation: Customers can manually rotate these keys and also set a rotation policy that automatically rotates them every year.
- Policy Control: Customers can add, remove, or modify the key policy that defines who can use or manage these keys.
- Audit and Usage: Customers can view logs that record every use of their keys.
- Disabled and Deleted: Customers can disable or schedule the deletion of their keys.
Example:
If a customer requires an encrypted Amazon RDS database with more granular control over the encryption key, they can choose to use a Customer Managed Key instead of the default AWS Managed Key.
Comparison Table
| Feature | AWS Managed Keys | Customer Managed Keys |
|---|---|---|
| Key Rotation | Automated every three years | Manual or automatic annually |
| Customer Control and Management | Limited | Extensive |
| Policy Control | Provided by AWS | Managed by the customer |
| Audit Trail | Limited | Detailed access with AWS CloudTrail |
| Availability for AWS Services | Selected AWS services | All AWS KMS integrated services |
| Creation & Management of Aliases | Not supported | Supported |
| Enable/Disable & Deletion | Managed by AWS | Managed by the customer |
Use Cases
- AWS Managed Key: A company deploying a new Amazon S3 bucket for simple storage would likely go with an AWS Managed Key for ease of use and automatic encryption with minimal configuration.
- Customer Managed Key: An enterprise with strict regulatory requirements, such as the need for key rotation every year and detailed audit trails, would opt for Customer Managed Keys.
In the context of the AWS Certified Developer – Associate exam, it’s important to know when and why to choose AWS Managed Keys versus Customer Managed Keys. For example, a common scenario that may be presented in the exam is when you need to provide proof of compliance with specific security standards that require key rotation and detailed logging of key usage.
To practice working with Customer Managed Keys, one might use the AWS KMS API to create a key, set permissions, and enforce key rotation. Here’s an example of how to create a Customer Managed Key using the AWS CLI:
aws kms create-key –description “Customer managed key for RDS encryption”
And to schedule key rotation:
aws kms enable-key-rotation –key-id <your-key-id>
In preparation for the DVA-C02 exam, understanding the implications of using each type of key, how to implement them, and their impact on service functionality is crucial for architecting secure and compliant AWS solutions.
Answer the Questions in Comment Section
True or False: AWS managed keys are created, managed, and used on behalf of the user by AWS for services that are integrated with AWS KMS.
- Answer: True
Explanation: AWS automatically creates and manages the AWS managed keys used by AWS services on behalf of the user.
True or False: Customer managed keys can only be used with the service they were created for.
- Answer: False
Explanation: Customer managed keys are not restricted to a single AWS service and can be used across multiple services that are integrated with AWS KMS.
Which type of key allows you to create, delete, and manage permissions?
- A) AWS managed keys
- B) Customer managed keys
- Answer: B) Customer managed keys
Explanation: Customer managed keys provide full control to the customer to create, delete, and manage permissions on the keys.
True or False: Customer managed keys and AWS managed keys have the same level of logging in AWS CloudTrail.
- Answer: False
Explanation: AWS Key Management Service (KMS) provides more extensive logging features in AWS CloudTrail for customer managed keys than for AWS managed keys.
Who is responsible for rotating the AWS managed keys?
- A) AWS
- B) The customer
- Answer: A) AWS
Explanation: AWS is responsible for rotating the AWS managed keys. The rotation occurs every three years for most services.
True or False: You can enable automatic rotation for customer managed keys in AWS KMS.
- Answer: True
Explanation: AWS KMS allows customers to enable automatic rotation for customer managed keys typically every year.
Which of the following statements is true about the cost associated with AWS managed keys and customer managed keys?
- A) AWS managed keys incur higher costs than customer managed keys.
- B) Customer managed keys incur higher costs than AWS managed keys.
- C) Both AWS managed keys and customer managed keys are free of charge.
- Answer: B) Customer managed keys incur higher costs than AWS managed keys.
Explanation: Customer managed keys can incur costs for key management and use, whereas AWS managed keys are provided at no additional charge for use with AWS services.
True or False: AWS managed keys provide a default key policy that is sufficient for most use cases without the need for customization.
- Answer: True
Explanation: AWS managed keys come with a default key policy that fits most use cases and doesn’t need to be modified by the customer.
When are customer managed keys most appropriate to use?
- A) When default key policies are sufficient.
- B) When you require detailed usage logs.
- C) When you do not need to control key rotation.
- Answer: B) When you require detailed usage logs.
Explanation: Customer managed keys are most appropriate when you require detailed control over the key policies, including usage logs and rotation.
True or False: You can import your own key material for both AWS managed and customer managed keys.
- Answer: False
Explanation: You can only import your own key material to customer managed keys, not to AWS managed keys.
Which key type supports the ability to disable and re-enable keys?
- A) AWS managed keys
- B) Customer managed keys
- C) Both A and B
- Answer: B) Customer managed keys
Explanation: Customer managed keys provide the capability to disable and re-enable keys, while AWS managed keys do not offer this feature.
True or False: Customer managed keys can be used outside of the AWS platform.
- Answer: False
Explanation: Both AWS managed and customer managed keys are meant to be used within the AWS platform and cannot be directly used outside of AWS services.
Great breakdown of AWS KMS keys! Can someone elaborate on the cost implications between using AWS managed and customer managed keys?
Thanks for this detailed post!
Does anyone know if there are performance differences between AWS managed and customer managed KMS keys?
I found this very informative. Thank you!
One drawback I encountered with customer managed keys is the complexity of setting up and maintaining IAM policies.
Appreciate the insights. This will definitely help in my DVA-C02 exam prep.
Can someone explain the auditing capabilities between AWS managed and customer managed keys?
Very helpful post, thanks!