Tutorial / Cram Notes
AWS Key Management Service (AWS KMS)
AWS KMS is a managed service that makes it easy for you to create and control encryption keys used to encrypt your data. The service is integrated with other AWS services to make it easier to encrypt data you store in these services and control access to the keys that decrypt it.
Features:
- Centralized Control of Encryption Keys: Allows centralized management of encryption keys, enabling you to create, import, rotate, disable, delete, define usage policies, and audit their use.
- Integration with AWS Services: KMS is integrated with services like Amazon S3, Amazon EBS, Amazon RDS, and AWS Lambda, allowing you to easily implement encryption across a wide variety of AWS services.
- Customer Master Keys (CMKs): These are the primary resources in KMS. They can either be customer-managed or AWS-managed. CMKs are logical representations and can control access to symmetric and asymmetric data encryption keys that can encrypt and decrypt data.
- Key Rotation: Offers the option to rotate keys, which is a vital security practice. You can automatically rotate AWS-managed CMKs or manually rotate customer-managed CMKs.
- FIPS 140-2 Compliant: Ensures a high level of security by being compliant with the Federal Information Processing Standards (FIPS) Publication 140-2, making it suitable for handling sensitive data.
Example Scenario:
An enterprise stores sensitive customer data in Amazon S3 and wants to ensure that the data is encrypted at rest. They can use AWS KMS to create a customer-managed CMK and set the Amazon S3 bucket to use that key for server-side encryption (SSE). Using IAM policies, the enterprise can restrict which users or services can use the CMK to decrypt data.
AWS Certificate Manager (ACM)
AWS Certificate Manager simplifies the management of public or private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for applications running on AWS. ACM certificates can be used with AWS services that are integrated with ACM, including Elastic Load Balancing, Amazon CloudFront, and API Gateway.
Features:
- Certificate Provisioning: Automatically provisions and renews public and private SSL/TLS certificates.
- Integration with AWS Services: Seamlessly integrates with services like AWS Elastic Load Balancer, Amazon CloudFront, and Amazon API Gateway for enabling secure communications.
- Centralized Management: Offers a single, integrated experience for managing certificates, reducing the complexity of handling SSL/TLS certificates across different AWS services.
- Domain Validation: Supports validation of ownership for domain names using email or DNS validation methods.
- Private Certificate Authority: ACM Private CA allows you to create your own private CA hierarchy for managing private SSL/TLS certificates, which is useful for internal servers and applications.
Example Scenario:
A web application running on Amazon EC2 instances behind an Elastic Load Balancer (ELB) requires SSL/TLS encryption for all its traffic. Using ACM, the administrator can request an SSL/TLS certificate, prove ownership of the domain, and then deploy the ACM certificate to the ELB without handling cryptographic operations manually.
Comparing AWS KMS to AWS ACM
Here’s a high-level comparison of the two services concerning their primary functions:
| Feature/Area | AWS KMS | AWS ACM |
|---|---|---|
| Primary Use | Key creation and management | SSL/TLS certificate management |
| Integration | Broad service integration across AWS | Integrated with specific AWS services like ELB and CloudFront |
| Security Compliance | FIPS 140-2 | Compliance standards for SSL/TLS |
| Automatic Rotation/Management | Automatic and manual key rotation | Automatic certificate renewal |
| Resource Managed | Encryption keys | SSL/TLS certificates |
| Function | Encrypt and decrypt data | Secure channels of communication |
| Access Control | IAM policies for CMKs | IAM and ACM’s built-in certificate access control |
Both AWS KMS and ACM services are integral to managing data encryption and secure communications across a range of AWS services. For individuals preparing for the AWS Certified Solutions Architect – Professional (SAP-C02) exam, a thorough understanding of these services, their use cases, and integration capabilities is essential.
Practice Test with Explanation
True or False: AWS KMS supports both symmetric and asymmetric keys.
- True
- False
Answer: True
Explanation: AWS Key Management Service (KMS) supports both symmetric and asymmetric keys, where symmetric keys are used for encryption and decryption, and asymmetric keys are used for encryption/decryption along with signing and verification operations.
In AWS KMS, what is the purpose of an alias?
- To serve as a display name for the cryptographic keys
- To log all access to the cryptographic keys
- To automatically rotate the cryptographic keys
- To encrypt the cryptographic keys themselves
Answer: To serve as a display name for the cryptographic keys
Explanation: An alias in AWS KMS is a friendly name that points to a KMS key. It is used to simplify key management tasks, such as identifying the key.
True or False: AWS Certificate Manager (ACM) can be used to import a certificate issued by a third-party certificate authority (CA).
- True
- False
Answer: True
Explanation: AWS Certificate Manager (ACM) allows users to import certificates issued by third-party CAs, in addition to using ACM to provision and manage certificates.
Which AWS service is primarily used to manage SSL/TLS certificates?
- AWS Identity and Access Management (IAM)
- AWS Key Management Service (KMS)
- AWS Certificate Manager (ACM)
- AWS CloudHSM
Answer: AWS Certificate Manager (ACM)
Explanation: AWS Certificate Manager (ACM) is the service designed to manage the SSL/TLS certificates, which secure network communications and establish the identity of websites over the internet.
What is the primary function of AWS CloudHSM?
- To manage SSL/TLS certificates for your applications
- To provide hardware-based cryptographic key storage
- To store SSH keys for EC2 instances
- To manage IAM user and group permissions
Answer: To provide hardware-based cryptographic key storage
Explanation: AWS CloudHSM provides hardware-based cryptographic key storage and operations using dedicated Hardware Security Modules (HSMs) within the AWS cloud.
True or False: AWS KMS automatically rotates customer master keys (CMKs) every 90 days.
- True
- False
Answer: False
Explanation: AWS KMS provides the option to automatically rotate customer master keys (CMKs) every year (365 days), not every 90 days. However, you can manually rotate keys more frequently if you choose.
Which feature of AWS KMS ensures that only certain AWS services can use a particular customer master key (CMK) to protect data?
- Key policies
- Grants
- Key aliases
- IAM policies
Answer: Key policies
Explanation: Key policies are the primary way to control access to a customer master key (CMK) in AWS KMS. They define which IAM users and roles can use the key and what actions they can take with it.
True or False: Root users have unrestricted access to all AWS KMS keys in an account by default.
- True
- False
Answer: False
Explanation: Even the AWS account root user is subject to the key policies set on an AWS KMS key. Key policies must explicitly include the root user if they are to have access to the key.
Which statement is correct regarding envelope encryption in AWS KMS?
- Envelope encryption uses the same key for both the data key and the master key.
- Envelope encryption uses a master key to encrypt the data encryption keys, which in turn encrypt the data.
- Envelope encryption is not supported by AWS KMS.
- Envelope encryption requires AWS CloudHSM, not AWS KMS.
Answer: Envelope encryption uses a master key to encrypt the data encryption keys, which in turn encrypt the data.
Explanation: Envelope encryption is a method in which AWS KMS uses a master key to encrypt the data keys, and the data keys are then used to encrypt the data. This approach enhances security and key management.
When using AWS ACM to manage SSL/TLS certificates, what is the renewal process for Amazon-issued certificates?
- Manual renewal by the user
- Monthly auto-renewal
- Annual auto-renewal
- Automatic renewal handled by AWS
Answer: Automatic renewal handled by AWS
Explanation: Amazon-issued SSL/TLS certificates in AWS ACM are automatically renewed by AWS before they expire, as long as the DNS validation records are in place or email validation approval is provided.
True or False: When you delete a customer master key (CMK) in AWS KMS, it is instantly and permanently removed.
- True
- False
Answer: False
Explanation: When you delete a CMK in AWS KMS, it first enters a waiting period (7 to 30 days), during which the key is disabled. Only after the waiting period does AWS KMS delete the key permanently.
Can AWS KMS be used directly to encrypt large files (>4 KB)?
- Yes, KMS is designed to encrypt any size files efficiently.
- No, KMS is not recommended for direct encryption of large files; instead, use it to manage data keys for envelope encryption.
- AWS KMS only encrypts files up to 4 KB in size, larger files require AWS S
- Yes, but only with additional configuration.
Answer: No, KMS is not recommended for direct encryption of large files; instead, use it to manage data keys for envelope encryption.
Explanation: AWS KMS is designed to encrypt data that is less than 4 KB in size. For larger files, the recommended practice is to use KMS-generated data keys for envelope encryption, where you encrypt the data key with KMS and then use the plaintext data key to encrypt the file locally or in your application.
Interview Questions
What is the purpose of AWS Key Management Service (KMS)?
AWS KMS is a managed service that makes it easy to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. KMS is integrated with other AWS services to simplify managing data encryption for those services and applications.
How does AWS Certificate Manager (ACM) simplify the process of managing SSL/TLS certificates?
AWS Certificate Manager simplifies the process of provisioning, managing, and deploying public and private SSL/TLS certificates for use with AWS services and internal connected resources. With ACM, you can quickly request a certificate, deploy it on AWS resources such as Elastic Load Balancers or API Gateways, and let ACM handle the certificate renewals.
What is the difference between Customer Master Keys (CMKs) and data keys in AWS KMS?
Customer Master Keys (CMKs) are the primary resources in AWS KMS, used to encrypt and decrypt up to 4 kilobytes of data. For encrypting larger amounts of data, CMKs are used to generate data keys. These data keys are then used to encrypt and decrypt the data outside of KMS, allowing for efficient encryption of large data sets.
Can you explain the concept of envelope encryption in the context of AWS KMS?
Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key with another key (the CMK in this case). The encrypted data and the encrypted data key are then stored together. This process adds an additional layer of security and allows for efficient encryption and decryption processes for large amounts of data.
How do you ensure that your AWS KMS keys are rotated regularly and what is the benefit of key rotation?
AWS KMS has a key rotation feature that enables you to automatically rotate the backing key of a CMK once per year. This is done without changing the key ID or the rest of the key metadata. Rotating keys on a regular basis helps reduce the risk of compromise and is considered a best practice for key management.
What are some of the compliance benefits of using AWS KMS and ACM?
Both AWS KMS and ACM aid in compliance with various standards and regulations by managing encryption keys and certificates in a secure and controlled manner. AWS KMS is integrated with AWS CloudTrail to provide logs of all key usage, which helps in meeting audit and regulatory requirements. Additionally, ACM helps in ensuring that SSL/TLS certificates are properly managed and renewed, also a common compliance requirement.
How are permissions to use AWS KMS keys governed and what is the role of IAM policies?
Permissions for AWS KMS keys are governed through AWS Identity and Access Management (IAM) policies. Users, groups, and roles can be given granular permissions to use KMS keys to perform operations such as encrypt, decrypt, re-encrypt, or manage keys. Policies can be attached directly to KMS keys for finer control over access.
Explain how AWS KMS integrates with other AWS services for data encryption.
AWS KMS seamlessly integrates with other AWS services such as EBS, S3, and Redshift to provide data encryption capabilities. When you enable encryption for these services, they interact with KMS to generate, retrieve, and use CMKs for data encryption operations.
What types of keys can you manage in AWS KMS?
In AWS KMS, you can manage two main types of keys: Customer Managed Keys (CMKs), which you have control over, and AWS Managed Keys, which are managed by AWS and used by AWS services on your behalf.
In the context of AWS KMS, what is meant by a “key policy”?
A key policy is a resource-based policy in AWS KMS that is attached directly to a CMK. This policy defines the authorization controls specifying which IAM users and roles can use the key and what actions they can perform with it. Key policies are the primary method for controlling access to CMKs.
Discuss the importance of AWS Certificate Manager’s integration with Elastic Load Balancing (ELB).
The integration of AWS Certificate Manager (ACM) with ELB allows you to easily deploy SSL/TLS certificates on your load balancers, thus enabling secure and encrypted traffic. ACM automates the certificate deployment process on ELBs and handles the complexities of certificate renewal thus providing a hassle-free experience to maintain SSL/TLS encryption.
What happens if you disable or delete a CMK in AWS KMS?
If you delete a CMK, it goes into a waiting period for a predefined duration, typically a minimum of 7 to 30 days, set at the time of scheduling key deletion. During this period, the CMK cannot be used, yet you can still decrypt the data that was encrypted with it. After the end of the waiting period, the CMK and all data keys associated with it are deleted, and the data encrypted with it becomes irretrievable. If you disable a CMK, it cannot be used for cryptographic operations, but you can re-enable it later.
Great article on AWS KMS and ACM! It really helped clarify the key rotation process.
Can someone explain the difference between symmetric and asymmetric encryption in the context of KMS?
Thanks for the detailed post, really useful for preparing for the AWS Certified Solutions Architect – Professional exam!
I appreciate the summary of AWS Certificate Manager. Handling SSL/TLS certificates automatically is a big time saver.
How does AWS KMS integrate with other AWS services like S3 and RDS?
A small correction: while the article mentions that KMS keys are region-specific, you can actually enable multi-region keys now.
Excellent breakdown of the differences between customer managed keys and AWS managed keys in KMS.
Is there any additional cost associated with using AWS Certificate Manager?